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ABSTRACT 


Part  1 of  this  report  discusses  a computer-oriented  methodology 
for  deriving  minimal  cut  and  path  set  families  associated  with  arbitrary 
fault  trees.  Part  II  describes  the  use  of  the  Fault  Tree  Analysis 
Program  (FTAP) , an  extensive  FORTRAN  computer  package  that  implements 
the  Part  I methodology.  An  input  fault  tree  to  FTAP  may  specify  the 
system  state  as  any  logical  function  of  subsystem  or  component  state 
variables  or  complements  of  these  variables.  When  fault  tree  logical 
relations  involve  complements  of  state  variables,  the  analyst  may 
instruct  FTAP  to  produce  a family  of  prime  implioants , a generalization 
of  the  minimal  cut  set  concept.  FTAP  can  also  identify  certain  sub- 
systems associated  with  the  tree  as  system  modules  and  provide  a 
collection  of  minimal  cut  set  families  that  essentially  expresses  the 
state  of  the  system  as  a function  of  these  module  state  variables. 
Another  FTAP  feature  allows  a subfamily  to  be  obtained  when  the  family 
of  minimal  cut  sets  or  prime  implicants  is  too  large  to  be  found  in 


its  entirety;  this  subfamily  consists  only  of  sets  that  are 


^int 


eresting4^ to  the  analyst  in  a special  sense. 
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INTRODUCTION 


The  analyst  who  seeks  to  determine  reliability  characteristics 
of  a complex  system,  such  as  a nuclear  reactor,  in  terms  of  the 
reliability  characteristics  of  its  subsystems  and  components  confronts 
a number  of  difficult  tasks.  One  task  involves  identifies! ion  either 
implicitly  or  explicitly,  of  logical  modes  of  system  sn.uess  or 
failure,  that  is,  various  distinct  combinations  of  subsystems  whose 
mutual  success  or  failure  implies  success  or  failure  of  the  entire 
system.  Minimal  cut  set  and  path  set  families,  tools  familiar  to 
reliability  analysts  for  some  time,  provide  an  explicit  representation 
of  these  modes.  These  families  are  useful  not  only  tjjfcr  evaluating 
reliability  characteristics  of  a system  but  also  as  a xesigij/tool  to 


guide  system  modifications  for  enhancing  reliability. 

A widely  used  concept  in  reliability  analysis  of  complex  systems 
is  that  of  a fault  tree.  Fault  tree  methods  are  based  on  the  observa- 
tion that  the  system  state,  either  working  or  failed,  can  usually  be 
expressed  as  a Boolean  relation  between  states  of  several  large, 
readily  identifiable  subsystems.  The  state  of  each  subsystem  in 
turn  depends  on  states  of  simpler  subsystems  and  components  which 
compose  it,  so  the  state  of  the  system  itself  is  determined  by  a 
hierarchy  of  logical  relationships  between  states  of  subsystems. 

A fault  tree  is  a graphical  representation  of  these  relationships. 

At  the  lowest  level  of  the  hierarchy  are  sut systems  whose  success  or 
failure  dependence  is  not  further  described.  If  reliability  informa- 
tion is  available  for  these  lowest  level  subsystems,  then  it  may  be 
possible  to  use  this  information  to  deduce  reliability  characteristics 
of  the  system  itself. 
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An  analyst  who  prepares  a system  £ault  tree  often  does  so  with 
the  intention  of  utilizing  it  to  obtain  certain  minimal  cut  (or  path) 
set  families  in  terms  of  these  lowest  level  subsystems  and  components. 
Part  I of  this  discussion  outlines  a computer-oriented  methodology 
for  deriving  such  families  for  an  arbitrary  fault  tree.  Part  II 
describes  the  use  of  the  Fault  Tree  Analysis  Program  (FTAP) , an 
extensive  computer  package,  written  mostly  in  FORTRAN,  which  implements 
the  Part  I methodology. 

FTAP  has  a number  of  useful  features  that  make  it  well-suited 
to  nearly  all  fault  tree  applications.  An  input  fault  tree  to  this 
program  may  specify  the  system  9tate  as  any  logical  function  of  sub- 
system or  component  state  variables  or  complements  of  these  variables; 
thus,  for  instance,  exclusive  - or  type  relations  may  be  formed. 

When  fault  tree  logical  relations  involve  complements  of  state 
variables,  the  concept  of  a minimal  cut  set  family  is  no  longer 
particularly  useful,  so  in  this  case  the  analyst  may  instruct  FTAP 
to  produce  a family  of  'prime  implicants , a generalization  of  the 
minimal  cut  set  concept.  The  program  offers  the  flexibility  of 
several  distinct  methods  of  generating  cut  set  families,  and  these 
methods  may  differ  considerably  in  efficiency,  depending  on  the 
particular  tree  analyzed.  FTAP  can  also  identify  certain  subsystems 
as  system  modules  and  provide  a collection  of  minimal  cut  set  families 
that  essentially  expresses  the  state  of  the  system  as  a function  of 
these  module  state  variables.  This  collection  is  a compact  way  of 
representing  the  same  information  as  contained  in  the  system  minimal 
cut  set  family  in  terms  of  lowest  level  subsystems  and  components. 
Another  feature  allows  a useful  subfamily  to  be  obtained  when  a family 
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of  minimal  cut  sets  or  prime  implicants  is  too  large  to  be  found 
in  its  entirety;  this  subfamily  may  consist  of  only  sets  not  con- 
taining more  than  some  fixed  number  of  elements  or  only  sets  that  are 
"interesting"  to  the  analyst  in  a special  sense.  Finally,  the  analyst 
can  modify  the  input  fault  tree  in  various  ways  by  declaring  state 
variables  identically  true  or  false, 

A number  of  computer  programs  are  currently  available  for  obtaining 
minimal  cut  set  families  from  fault  trees,  and  some  of  these  programs 
are  mentioned  in  the  discussion  of  Part  I.  One  very  capable  package 
that  deserves  special  mention  is  the  SETS  program  developed  by 
Dr.  Richard  Worrell  of  Sandia  Laboratories  [18],  In  addition  to 
fault  tree  analysis,  SETS  manipulates  arbitrary  Boolean  expressions. 

For  fault  tree  work,  several  features  of  FTAP  and  SETS  are  similar, 
and  both  programs  have  been  used  with  good  results  during  the  past 
year  in  nuclear  reactor  safety  studies  conducted  by  Dr.  Howard  Lambert 
of  the  Lawrence  Livermore  Laboratories. 
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PART  I 

METHODS  FOR  COMPUTER-AIDED  FAULT  TREE  ANALYSIS 

The  first  two  sections  below  essentially  provide  notation  and 
background  information  for  the  procedures  presented  in  Sections  1.3 
and  1.4.  The  notation  introduced  in  Section  1.1  has  been  chosen 
both  to  reflect  the  computer  implementation  of  these  procedures  and 
to  relate  their  various  operations  to  manipulation  of  Boolean  ex- 
pressions. In  Section  1.2,  fault  trees  and  implicant  families  are 
formally  defined,  and  two  quite  well-known  fault  tree  algorithms, 

MOCUS  and  MICSUP,  are  reviewed. 

The  reader  who  is  primarily  interested  in  using  FTAP  should  look 
over  Section  1.1  and  Subsections  1.2.1,  1.2.2,  1.3.1,  1.3.2,  and  1,4.4 
before  skipping  to  Part  II. 

1.1  Boolean  Expressions 

The  reader  is  assumed  to  be  familiar  with  the  rudiments  of  Boolean 
algebra;  a reference  such  as  [16],  for  instance,  is  more  than  adequate 
as  background.  Let  x^,  . . , , x^  be  Boolean  variables  independently 
taking  on  values  of  0 or  1 , and  let  x = (x^,  x^)  be  a vector 

of  0's  and  l's  representing  an  arbitrary  choice  of  these  values. 

We  denote  complementation  by  negation  of  subscripts:  For  any  u 
in  the  set  U =*  [1,  ...,  q]  , (=  .l  - x^)  is  written  as  x_^  . 

The  index  set  for  complements  is  -U  = [-1,  ...,  -q]  , and  (u,-u) 
is  a complementary  pair  of  indices. 
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Expressions  may  be  formed  using  x x , x , , . . . , x 

X q **X  — q 

and  the  ordinary  Boolean  relations  of  product  and  sum.  An  arbitrary  non- 
empty family  7 of  subsets  of  U U (-U)  (not  necessarily  distinct)  is 
identified  with  the  Boolean  sum-of-products  expression 

l " • 

lei  iel 

The  notation  /7/x  denotes  the  value  of  this  expression  for  a given 
vector  it  of  0's  and  l's  , that  is, 

/I/x  = max  /min  x \ ■ £ H x . 

Iel  \ iel  7 Iel  iel  1 

/I/  may  then  be  taken  as  a Boolean  function  mapping  each  vertex  of 
the  q-dimensional  unit  cube  into  0 or  1 . Given  nonempty  families 
I , J , and  K of  subsets  of  U U (-U)  , /I/  = /J/  means  that  for  all 
x /I/x  ■ /J/x  . Similarly,  if  for  all  x.  /I/x  **  /J/x.  + /K/x 
(/I/x  - /J/x  • /K/x)  , write  /I/  = /J/  + /#C/  (/I/  i /J/  • /K/>  . For 

the  null  family  (0)  we  define  / 0/  s 0 ; although  for  the  family  con- 
taining only  the  empty  set  ([0])  , / [ 0 ] / is  left  undefined. 

The  union  of  families  I and  J clearly  has  the  property 

/I  U J/  S /I/  + /J/  . 

Now  suppose  U - {1,2,3}  and  - [{2,3}]  “ [{1,2,3}]  and 

Ij  - [{-1,-3, 3}]  . For  any  x = (x^.Xg.x-j)  > /I3/X  “ x_ix_3x3  " 0 * 
so  /I  U Ij  U 1^1  5 / 1 ^ u I^/  , and  need  not  be  considered 

further.  Thus  to  simplify  the  discussion,  it  is  assumed  that  no  set 
of  a family  contains  a complementary  pair;  whenever  a new  family  is 
constructed,  any  sets  containing  complementary  pairs  are  simply  eliminated . 
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In  the  example  above  it  is  also  true  that  for  all  x , 

/I  /*  ■*  / T 2 U I^/x  , since  {2,3}  C {1,2,3}  , and  thus  /Z^/x  “ X 
whenever  /^/x  m X • A family  is  said  to  be  minimal  if  all  sets  are 
distinct  and  for  any  two  sets  of  the  family,  neither  is  a subset  of  the 
other.  For  any  family  X , let  m[I]  (the  "minimization"  of  I)  be  the 
minimal  family  obtained  by  eliminating  duplicate  sets  and  those  which 
contain  another  set  of  I . For  instance,  m[ [ {2 , 3} , {1 ,2, 3} ] ] * [{2,3}]  . 
Of  course,  for  any  I , /m [ I ] / S / I / . 

Next,  the  product  family  I * J of  two  families  lib  and 
J i 0 is  defined  by  [I  U J | I e I , J e J]  ; that  is,  I * J consists 
of  all  possible  sets  that  may  be  formed  by  taking  the  union  of  a set 
from  X and  a set  from  J , excluding  unions  which  contain  comple- 
mentary pairs.  The  product  is  assumed  to  be  empty  if  either  I or  J 
is  empty.  Evidently,  /I  * J/  = /I/  • /J/  3ince  for  all  x , 

/I/x  • /J/x  - / l n x\  / [ n x\ 

\IeI  iel  7 \JeJ  jeJ  7 

" I n x . 

KeIxJ  keK  k 

We  will  need  one  additional  concept.  Given  a nonempty  family  I 
of  subsets  of  U U (-U)  , the  dual  family  of  I , denoted  by  d[I]  , 
consists  of  all  distinct  sets  J such  that  J H I / 0 for  each  I e 1 
and  no  subset  of  J has  this  property.  By  definition,  d [ T ] is  always 
minimal,  and  though  I may  not  be  minimal,  it  is  not  difficult  to 
see  d(I]  ■ d[m[I]]  . In  general,  d[d[I]]  + I , though  there  is  one 
important  case  in  which  equality  holds:  If  I is  a minimal  family 
of  subsets  of  U (rather  than  U U (-U))  then  I is  called  a 
clutter,  and  d[I]  is  then  known  as  the  blooker  of  1 , usually 
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written  as  b [ I ] . It  can  be  shown  [5]  that  b [ b [ I ] ] - I . If  I 
consists  of  subsets  of  U U (-U)  , however,  then  d[I]  may  be  empty; 
for  instance,  let  I - [{-!}, {!))  . 


The  dual  family  is  useful  because  it  allows  us  to  relate  an 


expression  in  product-of-sums  form  to  a sum-of-products  form.  Some 
thought  indicates  that  for  all  x , 


n £ x.  * £ n x 

lei  id  1 led [I]  iel 


! 

I n x - n l x 

I el  id  led  [ I ] Iel  1 


The  following  simple  propositions  will  be  useful  later  on: 
Propoaition  1.1.1: 

If  I 0 then  for  all  x , 1 - /d[I]/(l  - x)  - /I/x  , where 

i - x is  the  vector  (1  - x, , ....  1 - x ) . 

l n 

This  is  true  because  De  Morgan’s  Law  gives 

l n x - i - n l (l  - x.)  , 

Iel  id  1 Iel  id  1 


and  the  value  of  the  expression  on  the  right  equals 


1 - I H (1  - x ) , 
Ied[I]  iel  1 


which  is  1 - /d[I]/U-x)  . 


Proposition  1.1,2: 


If  Z ^ 0 and  J / 0 , then 

d[I  U J]  - m[d [I]  x d [ J] ] . 

It  is  easy  to  see  that  d [ I UJ]  C d[Z]  * d[J]  , and  each  set  of 
d [ I ] x d [ J ] equals  or  contains  a set  of  d[I  U J]  , so  the  above 
proposition  follows.  A corollary  is: 

Proposition  1,1,3: 

For  I ? 0 and  J^0  if  d[d[I])  ■ Z and  d[d[J]]  ■ J then 
d [d  [ Z ] U d [ J] ] - m[ Z x J]  . 

1.2  Fault  Tree  Fundamentals 

Some  of  the  terminology  and  notation  of  Subsection  1.2.1  is  not 
in  standard  use  for  fault  tree  work,  partly  because  fault  trees  are 
traditionally  defined  in  a manner  that  doe3  not  permit  system  failure 
to  depend  on  complements  of  Boolean  state  variables  for  subsystems  or 
components.  Subsection  1.2.2,  which  presents  the  MOCUS  and  MICSUP 
methods  in  the  context  of  this  notation  and  terminology,  serves  as 
a useful  introduction  to  the  algorithms  of  Section  1.4.  The  final 
subsection,  1.2.3,  formalizes  the  idea  of  a subfamily  of  "interesting" 
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1.2.1  Fault  Tree  Definitions 

Formally,  a fault  tree  is  an  acyclic  directed  graph  (U,A)  , 
where  U is  the  set  of  nodes  and  A is  the  set  of  arcs.  Any  pair 
of  nodes  may  be  joined  by  at  most  a single  arc,  which  may  be  either  a 
regular  arc  or  a complementing  arc.  Nodes  having  no  entering  arcs  we 
call  basic  nodes,  and  those  having  one  or  more  entering  arcs  are  called 
gate  nodes.  Those  which  have  no  leaving  arcs  are  top  nodes;  a fault 
tree  usually  has  only  a single  top  node.  The  tree  is  drawn  with  arc 
paths  directed  upward  from  basic  nodes  and  terminating  at  the  top 
node.  Nodes  are  numbered  by  consecutive  positive  integers,  with  gates 
numbered  first.  Also,  associated  with  each  gate  is  a logic  indicator , 
a positive  integer  a that  may  take  on  any  value  between  1 and  the 
number  of  entering  arcs  for  that  gate. 

Figure  1 presents  a typical  fault  tree  to  illustrate  the  above 
terminology.  Basic  nodes  are  denoted  by  circles  and  gate  nodes  by 
rectangles  with  node  1 as  the  top.  All  arcs  are  regular  with  the 
exception  of  the  complementing  arc  joining  nodes  6 and  4,  and  this 
arc  is  distinguished  by  the  symbol  " — The  logic  indicator  for  each 
gate  node  appears  in  the  lower  half  of  the  rectangle; 
and  are  all  1 , and  Hj  , ^ , and  are  equal  to  2 . 

We  say  that  node  v is  a subnode  of  node  u if  there  is  an  arc 
path  directed  upward  from  v to  u , and  v is  an  immediate  subnode 
of  u if  there  is  a single  upward  arc  from  v to  u . Nodes  7,  8, 

12,  13,  and  14,  for  instance,  are  subnodes  of  node  5;  whereas,  7 and  8 
are  the  immediate  subnodes  of  5.  When  v is  a subnode  (immediate 
subnode)  of  u , u is  sometimes  referred  to  as  a supemode 
( immediate  supemode)  of  v . 
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Finally,  given  a set  of  nodes  V C U , a downward  order  on  V 
is  any  complete  ordering  (>■)  of  nodes  of  V such  that  for  any 
v , w £ V , v £ w implies  v is  not  a subnode  of  w . On  the  other 
hand,  if  w £ v implies  v is  not  a subnode  of  w , then  the  order 
(£)  is  an  upward  order.  Thus,  for  V - {2, 3, 4, 5}  , 2 £ 3 £ 5 £ 4 
is  a downward  order  and  5 ^ 4 ^ 3 M 2 is  an  upward  order. 

A fault  tree  is  a convenient  representation  of  a system  of  Boolean 
expressions.  Let  the  set  of  nodes  be  U - {1,  . ...  p - l,p,p  +1,  . . .,  q) 
where  G - {1,  ...,  p}  are  gate  nodes  and  B ■ (p  + 1,  are 

basic  nodes.  With  the  uC^  node  we  associate  the  Boolean  variable  x 

u 

If  u is  a basic  node,  then  x^  may  take  on  the  value  0 or  1 , 

independently  of  the  values  of  other  node  variables;  thus, 

b = (xp+1»  • xq)  ia  an  arbitrary  vector  of  0's  and  l's  whose 

elements  are  a particular  choice  of  these  values.  On  the  other  hand, 

if  u is  a gate  node,  then  the  value  of  xy  ultimately  depends  on 

values  of  the  .independent  basic  node  variables;  that  is,  x^  is  a 

Boolean  function  of  the  vector  Is  . Gate  variable  values  are  determined 

by  the  following  scheme:  Let  be  a set  of  integers  representing 

the  immediate  subnodes  of  u . If  node  v is  joined  to  node  u by 

a regular  arc  then  v e ; if  v is  joined  to  u by  a complementing 

arc  then  -v  e . Note  that  since  only  a single  arc  can  join  any 

two  events  in  the  tree,  contains  no  complementary  pair  (v,-v)  . 

The  node  definition  family  ,D  ) is  a family  of  subsets  of 

U U (-U)  that  consists  of  all  possible  sets  of  size  £ that  may 

be  formed  from  the  elements  of  D , where  l is  the  logic  indicator 

u u 

for  node  u . The  value  of  x is  determined  by 

u 


Li. 


< - 1 IT  x . 

U UV(i  ,D  ) iel  1 


Each  integer  iel  may  thus  be  positive  or  negative,  with 

x ^ = (1  - x^)  . An  informal  statement  of  this  relation  is  that 

the  U1"  gate  node  is  "true"  iff  #.  or  more  of  its  inputs  are  "true.1 

The  logic  indicator  satisfies  1 < ^ < //D^  , where  #Du  represents 

the  number  of  elements  in  D . The  value  H ■ 1 corresponds  to 

u u 

the  "OR"  relation  between  immediate  subnode  variables  (or  their 
complements);  that  is. 


*u  " l xi  5 

u ieD  1 
u 


whereas,  l ■ if D represents  the  "AND"  relation, 

u u 


x - IT  x.  . 

U ieD  1 
u 


If  we  apply  De  Morgan’s  Law  to  the  general  expression  for  x^  , 

u a gate  node,  a similar  expression  may  be  obtained  for  x_y  . Let 

D »-D  = {-i  | i e D } . Then 

-u  u 1 u 


I n x . 

IeP(#D  -l  +1,D  ) iel 


u u -u 


Since  variables  x and  x are  each  associated  with  node  u , it 
u -u 

is  convenient  to  call  both  indices  u and  -u  events;  -u  Is  the 
complementary  event  for  node  u . 
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Let  x ■ (x^ Xp-l,Xp,Xp+L xq)  ^e  a vecCor  O'3 

and  l's  . Using  the  notation  developed  in  Section  1.1,  jc  will  be 
said  to  be  consistent  with  the  fault  tree  if  for  all  gate  nodes 
u e G , x ■ /t? ( JL  ,D  )/x  . Thus  the  set  of  all  vectors  x consistent 
with  the  fault  tree  is  a subset  of  vertices  of  the  q-dimensional  unit 
cube  that  represents  all  logically  possible  combinations  of  states 
of  the  system  and  its  subsystems  and  components.  If  x and  x' 
are  both  consistent  with  the  fault  tree  and  have  the  same  values  for 
basic  node  variables  (i.e.,  xp+^  ■ xp+^>  •••»  xq  * x^)  * then  it 
will  be  the  case  that  x ■ x'  . So  we  might  write  a consistent  vector 
as  x(b)  ■ (x^Od),  x _1(y»x  (b)  ,b)  for  some  vector 


b - (x 


P+1’ 


, , x ) of  values  for  basic  node  variables. 

q 


A subset  F of  U U (-U)  is  called  an  impliaant  set  (or  just 
impliaant ) for  event  i if  x^  - 1 for  every  vector  x consistent 
with  the  fault  tree  such  that  /[F]/x  - 1 . A family  F of  subsets 
of  U u (-U)  is  termed  an  impliaant  family  for  event  i if  for  all 
consistent  x , x^  - / F/zc  . Thus  an  implicant  family  for  event  i 
is  a particular  collection  of  implicants  for  event  i . Naturally, 
an  implicant  family  F for  some  event  is  minimal  when  m[F]  ■ F . 

As  an  example,  some  of  the  minimal  implicant  families  for  event  1 
of  the  tree  of  Figure  1 are  [ { 2) , { 5} , {6 } ] , [ {2} , { 7 ,8} , {9 ,10} ] , 
and  [{3, 4}, {5}, {6}]  . 


Some  additional  definitions  are  useful  in  dealing  with  fault 
trees  involving  complementing  arcs.  Again,  let  x - (x^,  ...,  x^) 
be  any  vector  of  0's  and  l's  (not  necessarily  consistent  with  the 
fault  tree) , and  suppose  <J>  is  a Boolean  function  mapping  each  such 
x into  0 or  1 . A subset  P of  U U (-U)  is  a prime  implicant 
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of  £ if  P implies  <j>  (i.e.  , ( jc > - 1 for  all  x such  chat 

/[P]/x  - 1)  and  no  proper  subset  of  P implies  . Also,  a family 
P of  distinct  subsets  of  U U (-U)  is  a prime  implicant  family  for  <j>  if 
for  all  x $(x)  m /P/x  and  each  P e P is  a prime  implicant  for  $ . 

The  concepts  of  prime  iraplicants  and  prime  implicant  families  have 
been  widely  applied  in  the  fields  of  switching  theory  and  logic, 
and  the  definitions  given  hare  are  standard  in  most  Introductory 
textbooks  devoted  to  these  fields.  If  and  ?2  are  both  prime 

implicant  families  for  tf>  , then  P » P^  , so  a prime  implicant 
family  is  unique. 

Specializing  the  idea  of  a prime  implicant  family  to  our  purposes 
here,  we  will  call  a family  P of  subsets  of  U U (-U)  a prime 
implicant  family  for  event  i if  P is  an  implicant  family  for  event 
i and  each  P e P is  a prime  implicant  of  the  Boolean  function  /P/  . 
Note  that  if  F is  an  implicant  family  for  event  i , the  situation 
/[F]/x  - 1 for  some  F e F requires  that  x^  ■ 1 only  if  x is 
consistent  with  the  fault  tree;  however,  whether  F is  a prime  implicant 
of  /VI  depends  on  all  x , not  just  vectors  consistent  with  the 
fault  tree.  Thus  with  this  definition,  two  prime  implicant  families 
P^  and  P^  for  event  i need  not  be  the  same,  since  /P^/x  * ^2^— 
need  only  hold  for  consistent  x . But  if  and  P2  are  composed 

only  of  sets  of  basic  events,  it  will  be  true  that  P^  - P^  . In  fact, 
in  sections  which  follow,  we  will  not  be  concerned  with  whether  an 
implicant  family  F for  event  i consists  of  prime  implicants  for 
/ F/  unless  F consists  only  of  subsets  of  basic  events  or  only  of 
largest  simple  modules  for  event  i , which  will  be  introduced  in 


Section  1.3. 
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As  an  example,  the  family  F - [ {9, 10} ,{12,14} , {13} ,{-9,11} ,{-10,11 } ] 
is  an  implicant  family  for  event  1 of  the  tree  of  Figure  1,  and  F is 
in  terms  of  basic  events;  but  F is  not  a prime  implicant  family  for 
event  1.  On  the  other  hand,  P - [ [9 ,10} , { 12 ,14} , {13} , { 11} ] is  a 
prime  implicant  family  for  event  1 and  it  may  be  verified  that 
/P/  = /F/  . 

The  fault  tree  algorithms  MOCUS  and  MICSUP  discussed  in  the  follow- 
ing subsection  obtain,  for  selected  gate  events  of  the  tree,  minimal 
implicant  families  in  terms  of  basic  events,  that  is,  families  of 
subsets  of  B U (-B)  <•  family  F obtained  by  one  of  these  methods 

will  not  in  general  t.  a prime  implicant  family  unless  F consists 
only  of  subsets  of  B (or  only  of  subsets  of  -B) . When  F consists 
only  of  subsets  of  B , F is  usually  called  a minimal  out  set  family. 

The  dual  family  in  this  case  is  the  family  of  minimal  path  sets. 

In  utilizing  a fault  tree  to  obtain  information  on  the  reliability 
of  a system,  it  is  necessary  to  have  on  hand  estimates  of  the  probability 
of  failure  of  components  or  subsystems  associated  with  the  basic  events; 
the  availability  of  these  estimates  determines  the  extent  to  which  sub- 
systems are  broken  down  into  further  subsystems . Once  minimal 
Implicant  family  in  terms  of  basic  events  has  been  obtained  for  the 
subtree  top  event,  bounds  on  system  reliability  can  often  be  found, 
as  well  as  a number  of  measures  of  the  contribution  of  basic  event 
components  and  subsystems  to  reliable  system  operation.  The  use  of 
cut  sets  in  reliability  evaluation  is  discussed  by  Barlow  and  Proschan 
[2]  and  Lambert  [10]. 
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1,2.2  The  MOCUS  and  MICSUP  Methods 

Under  the  name  MOCUS  (Method  of  Obtaining  Cot  Sets),  Vesely  and 
Fussell  [6]  suggested  one  of  the  first  methods  for  finding  a minimal 
implicant  family  in  terms  of  basic  events  for  the  top  node  event  (or 
any  other  gate  event)  of  the  tree,  MOCUS  was  originally  proposed  for 
fault  trees  that  do  not  include  complementing  arcs,  but  the  method 
remains  essentially  unchanged  if  complementing  arcs  are  present.  A 
computer  program  which  implements  MOCUS  is  the  subject  of  Reference  [7], 

For  the  top  node  event,  say  event  1,  the  procedure  begins  with  the 
definition  family  P(Jl^,D^)  and  generates  a succession  of  implicant 
families  for  x^  by  continually  replacing  implicants  involving  gate 
events  with  events  nearer  the  bottom  of  the  tree.  The  essence  of  the 
method  is  summarized  by  the  following  steps: 

0.  H «-  D1)  . 

1.  If  all  sets  H t H have  been  considered  in  this  step,  go  to 
4.  Otherwise,  select  an  H e H not  previously  considered. 

2.  If  all  e c H are  basic  events,  go  to  1.  Otherwise  for 

each  e e H that  is  a gate  event  J *-  P(^e,Ue)  , and  for 

each  e e H that  is  basic  event  J ■*-  [(e)]  . 

e 

3.  H +•  [H  - [H]  ] U ("  X J 1 . 

LeeH  eJ 

4.  «-  m(H]  , 

(The  notation  "symbol  formula"  is  well-established  and  means  that 
after  the  operations  indicated  by  the  formula  on  the  right  have  been 
performed,  the  resulting  object,  whether  it  be  a family,  set,  or 
quantity,  is  to  be  represented  by  the  symbol  on  the  left.)  It  is 
readily  verified  that  will  be  an  implicant  family  for  event  1. 


The  minimization  task  of  Step  4 essentially  consists  of  comparing  each 
set  H e H with  sets  which  precedes  It  in  H . 
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The  algorithm  as  stated  is  suitable  for  computer  implementation,  but 

the  main  idea  is  best  illustrated  by  deriving  a Boolean  sum-of-products 

expression  in  terms  of  basic  event  variables  for  event  1 of  the  tree  of 

Figure  1.  This  expression  is  derived  by  repeated  substitution  for  gate 

event  variables.  Since  the  are  Boolean  variables,  note  that  the 

2 

identity  5 may  be  used  to  simplify  a product  and  that  products 
Involving  a complementary  pair  of  variables  (x^.x^)  may  be  discarded: 
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> 


l 

i 

I 

( 

I 

I 

I 


+ X7V-9X11 

+ X7XgX_l0XL1 

+ X-9X11 
+ X-9X-10X11 
+ X-9X-10X11 

+ x-ioxn 

+ X-9X11X12X13 

+ x_9x11x12X14 

+ X-9X11X13 
+ x_gxi;Lx13xl4 

+ x-10xllx12x13 
+ X-10X11X12X14 
+ x-10xllx13 
+ X-10X11X13X14 


The  sum  of  remaining  products  corresponds  to  a nonminimal  implicant 
family  for  event  1.  Minimization  of  this  family  is  equivalent  to 
applying  the  Boolean  absorption  identity  (x^  + x^x^  3 x^)  to  pairs 
of  products  in  the  above  sum,  thus  eliminating  redundant  products. 
The  resulting  "minimal"  expression  is 
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MICSUP  (Minimal  Cut  Seta,  Upward)  is  an  alternative  method  of 
constructing  basic  event  implicant  families  proposed  by  Chatterjee  [3]. 
At  least  two  computer  codes  utilizing  this  method  are  available  [12], 
[13].  The  technique  is  based  on  Che  observation  that  if  minimal  basic 
event  families  are  available  for  all  immediate  subevents  j e 

of  a particular  gate  event  i , then  the  minimal  basic  event  family 
for  i is  simply 


m 


U X I 

IeP(ii,Di)  jel  J 


where  I = [ { j } ] if  j is  a basic  event.  To  find  a basic  event 
family  for  the  top  node  event  of  a fault  tree,  say  event  1,  the 
procedure  is  as  follows: 


0.  F «-  (1}  . 

1.  If  all  events  i e F have  been  considered  in  this  step, 

go  to  3.  Otherwise  select  i c F not  previously  considered. 

2.  F + F U {]  e Dj  , ] a gate  event}  . 

3.  Consider  successive  elements  of  F in  upward  order  (any 
ordering  such  that  each  event  follows  all  of  its  subevents). 
For  each  i e F construct 


I 


i 


m 


U X I 

Ie£?Ui,Di)  jel  J 


Steps  0,  1,  and  2 serve  only  to  avoid,  if  possible,  finding  I and 
I for  every  gate  node  u of  a fault  tree  containing  complementing 
arcs;  if  the  tree  contains  no  complementing  arcs,  we  may  let  F ■ G , 
the  set  of  gate  nodes,  and  just  perform  Step  3.  Also,  minimization  may 


I 


fl 


!!■  I 
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be  postponed  until  is  constructed  if  It  is  expected  that  the 


unminimized  families  for  immediate  3ubevents  of  will  not  contain 


a large  number  of  nonminimal  sets. 

For  the  example  tree  of  Figure  1,  this  simple  method  is  illustrated 
with  Boolean  expressions.  Evidently,  the  set  F in  its  proper  order 
is  {8, 7,6, -6, 5, 4, 3, 2,1}  . 


x8  " *13  + X14 


X7  * X12  + X13 


X6  “ X9X10 


X-6  “ x-9  + X-10 


x5  " X7X8 


(X12  + X13)(X13  + X14) 


* x12x13  + X12X14  + X13  + X13X14 


X12X14  + x13 


X4  * X-6X11 


(x-9  + x_io)xH 


X-9X11  + X-10X11 


X_  » X.  + X. 

3 4 5 


^X_9XH  + X_10X11')  + <’X12X14  + x13^ 


X-9X11  + X-10X11  + X12X14  + X13 
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x2  - x3x4 


(x-9Xll  + X-10X11  + X12X14  + XI3)(X-9X11  + ’‘-IQ*!!5 


X-9X11  + X-9X-10X11  + X-9XUX12X14 


+ X-9X11X13  + X-9X-10X11  + X-10X11 


+ X-10X11X1.2X14  + X-10X11X13 


X-9X11  + X-10X11 


x2  + x3  + x6 


(X-9X11  + X-10xll>  + (X-9X11  + X-10X11  + X12X14  + X13) 

+ <VlO) 


X-9X11  + X-10X11  + X-9X11  + X-10X11 


+ X12X14  + X13  + X9X10 


X-9X11  + X-10X11  + X12X14  + X13  + X9X10  ' . 


The  MICSUP  algorithm  is  superior  to  MOCUS  in  two  cases: 

(1)  when  basic  event  families  are  desired  for  a number  of  intermediate 
gate  events  as  well  as  the  top  event,  and  (2)  when  only  sets  not 
exceeding  some  given  number  of  basic  events  are  required  in  the  top 
event  family.  The  second  case  is  most  important  in  practice.  Often 
the  minimal  top  event  family  has  many  sets  which  contain  a large  number 
of  basic  events.  If  the  fault  tree  is  free  of  complementing  arcs, 
each  of  these  sets  is  associated  with  a mode  of  system  failure  due  to 
failure  of  a large  number  of  basic  node  components  and  subsystems; 
that  the  actual  system  will  fail  in  this  manner  is  highly  unlikely. 

Thus  implicants  which  exceed  some  given  size  are  usually  not  of  interest 
in  the  subsequent  reliability  analysis  of  the  system.  The  convenience 
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of  the  MICSUF  method  in  this  case  is  a consequence  of  the  fact  that 
sets  generated  for  every  gate  event  consist  only  of  basic  events,  and 
any  set  that  exceeds  a given  size  may  be  immediately  discarded. 

This  way  of  finding  a subfamily  of  the  complete  minimal 

family  I ^ for  event  i does  not,  in  general,  yield  meaningful  results 
for  fault  trees  involving  complementing  arcs,  due  to  the  fact  that 
is  usually  not  a prime  implicant  family.  However,  as  an  illustration, 
suppose  that  only  products  of  size  1 are  required  in  the  previous 
example.  The  expression  following  each  colon  (:)  below  results  from 
discarding  products  containing  more  than  a single  variable. 


*8  " X13  + X14 


X7  “ X12  + X13 


x6  - VlO  : 0 


“ x-9  + X-1Q 


x5  “ X7X8 


(X12  + X13)(X13  + X14)  1 X13 


X4  31  X-6X11 


^x-9  + X-10)X11  : 0 


X.,  ■ X,  + xc 

3 4 5 


(0)  + (xi;})  : x13 


x2  “ X3X4 


- (x13)(0)  : 0 


x,  * x.  r xc  + x,. 
12  5 6 


(0)  + (xl3)  + (0)  : x 
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(A  null  expression  for  x^  means  that  there  is  no  basic  event  variable 
which  by  itself  implies  . ) In  addition  to  x^  , x^  also  implies 
x^  , so  the  method  has  failed  in  this  case  to  find  all  single  variables 
that  imply  x^  . What  is  really  desired  here  is  the  subfamily  of 
all  prime  implicants  for  event  1 which  consist  of  only  one  basic  event. 

1.2.3  General  Framework  for  Implicant  Elimination 

Implicant  size  is  one  criterion  which  may  be  used  to  determine  a 
subfamily  of  "interesting"  implicants  when  the  complete  minimal  implicant 
family  is  too  large  to  obtain.  More  generally,  given  any  set  of  events 
E , an  importance  criterion  for  E assigns  certain  subsets  of  E to 
a class,  called  important  sets,  in  such  a manner  that  if  I is 
important,  all  subsets  of  I (ignoring  the  null  set)  are  also  important, 
this  definition  just  guarantees  that  if  I'  is  a subfamily  of  all 

important  sets  of  the  family  I -then  m [ I ’ ] C m[I]  . Also,  let  f 

♦ 

be  a real-valued  function  whose  domain  consists  of  all  subsets  of  E ; 
it  is  convenient  to  call  f an  importance  function  if  for  any  real 
c either  [I  | I C E , f(I)  <_  c]  or  [I  | I C E , f(I)  > c]  is  a 
class  of  imports  it  sets. 

Suppose  that  a positive  real  value  i (k)  is  chosen  for  each 

event  k e E . If  f(I)  = £ i (k)  for  each  ICE,  then  f is 

kel 

an  importance  function;  if  a (k)  ■ 1 for  all  k e E , then  all  sets 

not  exceeding  a critical  size  c are  important.  Many  other  importance 

functions  can  be  constructed  using  the.  i(*)  values,  such  as  min  i (k) 

kel 

or,  when  all  values  are  between  0 and  1 , IT  i (k)  . 

kel 
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For  fault  trees  that  do  not  contain  complementing  arcs,  the 
MICSUP  algorithm  obviously  lends  itself  well  to  construction  of 
minimal  subfamilies  of  all  implicants  that  satisfy  an  importance 
criterion,  For  E • B , as  in  the  case  of  elimination  by  size, 
implicants  that  are  not  important  may  be  discarded  whenever  they 
appear. 

1.3  Simple  Modules 

Deleting  nonmlnimal  implicants  of  a family  is  unquestionably 
the  most  time  consuming  task  in  MOCUS  and  MICSUP  methods.  Given  an 
arbitrary  implicant  family  K in  any  order,  m[K]  J.3  obtained 
essentially  by  comparing  each  set  K with  all  sets  that  precede  it 
in  K , If  J is  a preceding  set,  K is  eliminated  if  J C K and 
J is  eliminated  if  JDK.  Some  effort  can  be  saved  by  ordering  the 
sets  of  K according  to  increasing  size;  then  K is  not  strictly 
contained  in  any  preceding  set.  In  any  case,  the.  number  of  set  com- 
parisons required  to  find  ra[K]  , if  K consists  of  n sets,  seems  to 

2 

be  bounded  above  by  some  constant  times  n 

In  practice,  MOCUS  and  MICSUP  algorithms  often  perform  a great 
deal  of  minimization  that  could  be  avoided  by  isolating  certain  branches 
of  the  fault  tree  that  have  no  basic  nodes  in  common.  Such  is  the 
general  idea  underlying  this  section. 
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1.3.1  Simple  Module  and  Modular  Subtree  Definitions 

We  begin  with  some  additional  definitions  regarding  fault 
trees.  If  node  w is  a subnode  of  u , a ohain  from  w to  u 
is  the  set  of  nodes  along  an  upward  path  from  w to  u . For 
instance,  in  the  tree  of  Figure  1,  the  sets  {12, 7, 5, 3,2,1}  and 
{12,7,5,1}  are  chains  from  node  12  to  node  1.  The  number  of  nodes 
in  the  largest  chain  from  w to  u is  denoted  by  c^(w)  > and 
c^C*)  is  an  integer  valued  function  having  u and  the  subnodes  of 
u as  its  domain  (c^(u)  = 1 for  any  node  u).  In  the  example  tree, 
c1Cl)  - 1 . c1(2)  - 2 , c^(3)  - 3 , cx(4)  - 4 , Cj.CS)  - 4 , ^(6)  - 5 , 
etc. 

Next,  if  v is  a subnode  of  u , v is  said  to  be  a simple 
module  for  u if  every  chain  from  a basic  subnode  of  v to  u 
Includes  v , Node  5 is  a simple  module  for  node  1 in  the  example 
tree,  since  the  basic  subnodes  of  5 are  12,  13,  and  14,  and  the 
chains  from  these  nodes  to  node  1 are  [12,7,5,3,2,1]  , [12,7,5,1]  , 

[13.7.5.3.2.1]  , [13,7,5,1]  , [13,8,5,3,2,1]  , [13,8,5,1]  , 

[14.8.5.3.2.1]  , and  [14,8,5,1]  , all  of  which  include  5.  It  is 
helpful  to  think  of  the  Boolean  variables  associated  with  a simple 
module  as  indicating  the  status  of  an  independent  subsystem;  that 
is,  given  the  status  of  the  subsystem,  the  status  of  any  component 
in  the  subsystem  is  irrelevant  to  the. problem  of  determining 
whether  the  system  itself  is  working.  For  instance,  the  values 

of  x^  f j and  are  not  important  in  determining  the 

value  of  x^  if  the  value  of  x,.  is  known.  Note  that  with  this 
definition,  node  4 is  a simple  module,  of  node  3,  but  not  of  node  1, 
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so  Che  node  or  seC  of  nodes  must  be  specified  for  which  a particular 
node  is  a simple  module.  Also,  for  any  gate  node  u , all  basic 

subnodes  are  trivially  simple  modules  for  u . | 

If  node  v is  a simple  module  for  node  u and  v is  not  j 

a subnpde  of  some  other  simple  module  for  u , then  v is  a largest  | 

i 

simple  module  for  u . In  Figure  1,  the  largest  simple  modules  for  | 

j 

node  1 are  5,  6,  and  11,  whereas  those  for  node  3 arc  A and  5.  | 

\ 

i 

It  is  easy  to  see  that  the  largest  simple  modules  for  a node  have  ! 

i 

no  subnodes  in  common,  a fact  which  motivates  these  definitions.  ! 

The  modular  subtree  for  a gate  node  u consists  of  ail  nodes, 
along  with  the  arcs  joining  these  nodes,  that  appear  in  chains 

i 

from  the  largest  simple  modules  for  u to  u itself.  Node  u ' 

\ 

is  thus  the  Cop  node  of  its  modular  subtree.  Figure  2 illustrates  ' 

the  modular  subtrees  for  nodes  3,  4,  5,  and  6 of  the  example 
tree.  This  definition  of  a modular  subtree  is  related  to  the  idea 

of  an  independent  branch  of  the  fault  tree,  introduced  by  1 

Chatterjee  [4]. 


I 
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1.3.2  Application  of  Simple  Modules  to  Implicant  Families 

The  above  concepts  may  be  readily  associated  with  implicant 
families.  For  convenience,  call  event  j a simple  module  for  event 
i if  node  |j|  is  a simple  module  for  node  |i|  in  the  fault  tree, 
and  the  modular  subtree  for  event  i is  the  one  having  node  |i| 
at  the  top.  Were  the  MOCUS  or  MICSUP  method  applied  to  the  modular 
subtree  for  event  i , with  largest  simple  modules  for  i treated 
as  basic  events,  the  result  would  be  a minimal  implicant  family 
in  terms  of  these  largest  simple  modules.  More  suitable  algorithms 
to  find  implicant  families  associated  with  modular  subtrees  are 
discussed  in  Section  1.4,  but  for  purposes  here,  nothing  is  lost  by 
assuming  that  procedures  similar  to  MOCUS  or  MICSUP  are  available 
to  find  families  . 

For  a given  set  Q of  gate  events,  a modular  structure  for  Q 
is  a collection  ^j^jeM(Q)  ra:!-n:i-mal  implicant  families  in  terms 

of  largest  simple  modules  for  their  respective  index  events,  where 
the  index  set  M(Q)  is  the  smallest  set  satisfying  (1)  Q C M(Q)  ; 
and  (2)  if  j is  a gate  event  in  an  implicant  of  some  family 
for  i e M(Q)  , then  j e M(Q)  . The  modular  structure  for  Q is 
just  the  smallest  group  of  implicant  families  in  terms  of  largest 
simple  modules  necessary  to  find  a basic  event  implicant  family  for 
each  event  in  Q . For  the  tree  of  Figure  1,  M({1})  - {1,5, 6,-6} 

and 
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Mx  - [ {5} , {6}, {-6,11}] 

M5  - [{13}, {12,14}] 

M6  - [{9,10}] 

M_6  - [{-9}, {-10}]  . 

However,  M({1,3})  * {1,3, 4, 5, 6, -6}  , so  the  modular  structure  for 
{1,3}  includes,  in  addition  to  the  above  families, 

- [{3}, {4}] 

- [{-6,11}]  . 


Reliability  evaluations  for  a fault  tree  are  usually  introduced 
by  associating  independent  0-1  random  variables  X (=  1 - X_^) 
with  all  basic  nodes  u . For  a gate  event  i , with  a minimal 
basic  event  implicant  family  1^  , the  random  variable  is  taken 

to  be  1 if  at  least  one  set  I e has  ■ 1 for  all  j e I ; 

otherwise,  is  0 . Under  the  assumption  of  probabilistic 

independence  of  basic  node  variables,  variables  for  nodes  that  are 

largest  simple  modules  of  any  particular  gate  event  are  also  in- 
dependent, since  they  have  no  common  basic  st'bnodes.  Hence  reliability 
evaluations  for  events  j e M({i}>  may  be  done  by  considering  these 
events  in  upward  order,  and  treating  each  family  as  if  it  con- 

sisted of  basic  events.  The  number  of  minimal  basic  event  implicants 
for  i usually  far  exceeds  the  total  number  of  implicants  in  all 
modular  structure  families  ^j^jEM({i})  * 


Should  basic  evcnC  families  be  preferred  for  events  in  Q , 


they  are  easily  obtained  by  selecting  the  events  j e M(Q)  in 
upward  order  and  constructing  I in  the  usual  manner; 

I,  «-  U X I 
J MeMj  meM  m 

where,  of  course,  I = [ { m } ] for  m a basic  event.  Because  the 

m 

largest  simple  module  events  j have  no  subevents  in  common, 
minimization  is  unnecessary.  In  terr s of  Boolean  expressions,  the 
modular  structure  for  event  1 of  the  example  tree  yields, 


“ X9X10 

" X13  + X12X14 
" X5  + x6  + X-6X11 

“ (X13  + X12X14)  + (X9X1C)  + (X~9  + X-10)X 
* X13  + X12X14  + !C9X10  + X-9X11  + X-10X11 


S 

! 

j 

i 


i 


11 


i 

i 


Size  restriction  may  be  employed  when  a MICSUP-type  method  is 
applied  to  modular  subtrees  for  events  in  M(Q)  . These  subtrees 


should  be  devoid  of  complementing  arcs.  The  family  in  the 


resulting  collection  ^pjEM(Q)  consist  of  all  implicants 


of  Mj  that  do  not  exceed  the  size  limitation,  and  further  elimina- 


tion is  done  as  basic  event  families  I'  are  produced. 
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Of  course,  elimination  based  on  an  importance  criterion  for  B 

is  also  feasible  when  basic  event  families  are  constructed.  For 

j e M(Q)  , a subfamily  is  then  constructed  which  consists  of  all 

important  sets  of  the  complete  family  I . However,  it  is  useful 

to  have  an  importance  criterion  for  the  set  of  all  events  that 

appear  in  at  least  one  implicant  of  . (Denote  this  set  by  E(Mj)  .) 

Elimination  can  then  be  done  when  the  MIC5UP  method  is  applied  to  the 

modular  subtree  for  j . An  importance  criterion  for  E(M^)  is 

easily  obtained  from  a criterion  for  B by  declaring  a set  M C E(M^) 

important  iff  the  basic  event  family  X I contains  at  least  one 

meM  m 

important  set.  This  is  valid  because  the  event  sets  E ( I ) , m e M 

m 

are  disjoint. 

Such  an  importance  criterion  for  E (M_j ) is  actually  quite  easy 

to  implement  when  real  nonnegative  values  i (k)  are  available  for  all 

basic  events  and  an  importance  function  f is  given  in  terms  of  these 

values.  Suppose,  for  instance,  that  0 <_  \ (k)  <_  1 for  k e B , 

and  for  I a set  of  basic  events,  let  f(I)  - II  i (k)  . For 

kel 

j e M(Q)  we  construct  the  subfamilies  Mj  in  upward  order,  that 

is,  Is,  constructed  following  all  families  for  k a subevent 

of  j . When  the  family  is  constructed,  for  each  gate  event 

m e E(M^)  which  is  a largest  simple  module  for  j , a value  i (m) 

will  be  available  from  a previous  computation  unless  M*  - (9  . 

m 

If  the  MXCSUP  method  is  applied  to  the  modular  subtree  to  find  , 
then  all  sets  generated  will  be  in  terms  of  largest  simple  modules 
for  J , and  only  important  sets  need  be  retained,  where  in  this  case 


a set  M is  important  iff  HP  i 0 for  each  meM  and  (2)  (if 
condition  (1)  hold.1--'1 
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n i (m)  > c 
meM 


for  a fixed  critical  value 
found,  if  Mj  + 0 , i(j) 


c . When  the  family  has  been 

is  determined  by  the  computation 


max  ( fl  i (m) 
McMj  \meM 


For  • 0 , i (J ) is  left  undefined.  It  is  quite  easy  to  show  that 

a set  MC  E(Mj)  satisfies  (1)  and  (2)  iff  there  is  a basis  event 

set  I e X I satisfying 
..  m 


n \(k)  > c . 
kel 


This  scheme  can  also  be  employed  to  yield  a more  efficient 
technique  for  size  elimination  than  simply  restricting  implicants  in 
modular  structure  families  to  a fixed  maximum-  3ize.  Let  cr(k)  = 1 
for  each  basic  event  k and  let  f be  the  importance  function 
defined  for  a set  I of  basic  events  as  f(I)  » \ a(k)  . As  in 


kel 

the  procedure  above,  when  is  constructed,  relevant  values  o(m) 

for  largest  simple  module  gate  events  m e E(M^)  will  be  available 
from  earlier  computations.  A set  M C E(M^)  is  now  considered 
important  iff  (1)  + 0 for  each  meM,  and  (2)  (if  condition 


(1)  holds) 


l o(m)  <_  c 
meM 


for  a fixed  integer  value  c . From  the  family  Mj  , if  / 0 , 
a(j)  computed  as 


min 
M eMj 


i ( l 

' \ meM  / 


For  any  set  M c in  this  case,  there  is  at  least  one  basic 

event  set  I e X I having  no  more  than  c elements.  We  call 
msM  m 

the  particular  criterion  discussed  in  this  paragraph  modular  size 
importance . 


1.3.3  A.  Method  for  Identifying  Modular  Subtrees 

For  an  arbitrary  gate  node  u , let  U be  the  set  of 

nodes  in  the  modular  subtree  for  u , where  L consists  of  all 

u 

nodes  that  are  largest  simple  modules  for  u and  n - 0 ; 
is  never  empty,  since  u e . 

Finding  sets  G^  and  is  not  difficult  computationally. 

The  technique  described  here  makes  use  of  particular  sets  of 
replicated  nodes,  nodes  which  have  more  than  a single  leaving  arc; 
for  instance  5,  6 and  13  are  the  replicated  nodes' of  the  Figure  1 
tree.  For  any  node  v , let  Ry  consist  of  all  replicated  subnodes 
of  v , as  well  as  v itself  if  v is  replicated.  The  set  of 
replicated  subnodes  of  v is  just 


U 

weS 

v 


R 


w 


where  S is  the  set  of  immediate  subnodes  of  v . 
v 
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The  following  procedure  determines  the  set  of  largest 

simple  modules  and  the  set  for  an  arbitrary  gate  node  u : 


0.  0 , T*  (u)  , Lu  - 0 , Gu  * 0 . 

1.  If  T » 0 , stop.  Otherwise  z +•  z + 1 , 

T +-  {v  | v e T , cu(v)  z}  U {Sv  | v e T , c-^v)  - z}  , 

Gu  - Gu  U {V  | v e T , cu(v)  - z)  . 

2.  L-*-/v  [ v e T , cu(v)  « z + 1 , R C\(  U R \ » 0} 

( te  / ) 

\ *-  Lu  u L » T T - L . Go  to  1. 

As  an  illustration,  we  find  the  largest  simple  modules  of  the  top 
node  of  the  tree  of  Figure  1: 

R14  ’ R12  ’ RH  * Rl0  ’ R9  " 0 
R13  * R7  > R8  " {13} 

R6  “ {6} 

R5  - {5,13} 

R4  - {4,6} 

R3  » R2  ' Ri  " (4,5,6,13} 
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z «-  0 

T *•  {1}  1^-0 

Gx  i-  0 

z + 1 

T+0U  {2,5,6} 

Gx  + 0 U {1} 

L *-  0 


z i-  2 T +■  {5,6}  U {3,4} 

C1  +-  {1}  U {2} 

L + 0 

z •<-  3 T - {4,5,6}  U {4,5} 

Gl  {1,2}  U {3} 

L t-  {5}  (since  R5  D (R4  U Rfi)  - 0) 

L «-  0 U {?} 

T <-  {4,5,6}  - {5} 

z + 4 T h-  {6}  u {6,11}  , 

Gx  - {1,2,3}  U {4} 

L {6,11}  (since  - 0) 

L1  =*  {5}  U {6,11} 

T - {6,11}  - {6,11} 

Stop . 

Essentially,  the  method  proceeds  down  the  subtree  with  top 
node  u , and  the  set  T and  L involve  nodes  successively  further 
from  u with  increasing  z . An  examination  of  Step  2 shows  that 
if  v is  a subnode  of  u , unless  v is  a subnode  of  a largest 
simple  module  for  u , then  v will  eventually  appear  in  the  table 
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T formed  in  Step  2 for  some  value  of  z , say  z'  . If 

z'  j4  c^Cv)  " 1 then  v is  retained  in  each  T for  successive 

values  of  z ■ z',z'  + 1,  c^(v)  - 1 . When  z ■ c (v)  - 1 

in  Step  3,  then  v is  tested  to  see  if  it  is  a largest  simple 

module  for  u . If  it  is,  v is  included  la  L and  removed  from 

u 

T ; otherwise,  Sv  replaces  v in  the  next  T formed  in  Step  2 

(for  z * c (v))  and  v is  included  in  G 
u u 

The  validity  of  this  procedure  is  based  on  the  following  easily 
established  facts: 

1.  Given  any  two  fault  tree  gate  nodes  v and  w , neither 

being  a subnode  of  the  other,  then  R DR  * 0 if  and 

v w 

only  if  v and  w have  no  basic  subnodes  in  common. 

2.  For  any  z , T U contains  at  least  one  node  of  every 
chain  from  a basic  subnode  of  u to  u itself;  moreover, 
for  each  v e T and  weL  , R n R • 0 . 

U V w 

3.  For  v e T , z * c (v)  “ 1 * there  is  no  we  T such  that 
v is  a subnode  of  w . 

4.  For  v e T , v a simple  module  for  u , there  is  no 
w e T such  that  w is  a subnode  of  v . 

An  effective  method  of  constructing  the  set  L in  Step  3 
deserves  mention.  Let  r_  ■ (r^,  r ) be  a vector  having  the 

same  number  of  components  as  fault  tree  nodes.  The  set  T is  taken 
to  be  ordered  in  some  arbitrary  manner  and  for  v , w e T we  write 
v >-  w if  v precedes  w in  T . Node  u is  again  the  subtree 
top  node. 
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0.  L,  +■  0 . For  each  weR  ,r  «-  0 in  r. 

u w — 

1.  If  all  nodes  of  T have  been  considered  in  this  Btep, 

stop.  Otherwise  select  the  next  element  v e T in  the 

order  f . 

2.  If  z i c.  (v)  - 1 , go  to  3.  Otherwise,  if  r - 0 for 

all  w k , then  *■  l/  U {v}  . 

3.  r v for  all  w e R . Go  to  2. 

w v 


This  procedure  constructs  the  set 


L ■ {v  v e T , c (v)  • z + 1 , and  R n R ■ 0 for  all  w >-  v in  T} 
1 u w v 


The  same  procedure  may  be  applied  with  the  modification  that  the 
elements  of  T be  considered  in  reverse  order  to  obtain 


L ’ {v  | v e I i cu(v)  *“  z + 1 > and  Ry  n Rv  ■ 0 for  all  w -t  v in  T}  . 
Then  L ■ l1  n L2  . 

We  sometimes  require  that  the  largest  simple  modules  be  known  for 
each  gate  node  of  the.  fault  tree,  so  the  LSM  procedure  must  be  applied 


for  every  u e G Uowever,  calculating  c^Cw)  ^or  subnodes 

w of  u for  each  u e G Is  wasteful,  and  a more  efficient  method 

can  be  suggested.  This  method  is  motivated  by  two  simple  facts: 

First,  if  G and  L are  available  for  some  gate  node  u , and 
u u ° 

we  wish  to  find  G and  L for  some  v e G , then  it  is  only 
v v u 

necessary  to  calculate  c (•)  for  subnodes  cf  v in  G U L , 

3 vv  u u 

since  U Lv  C.  Gu  U . Secondly,  if  v is  any  gate  node  which 
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is  a simple  module  for  u , Chen  ev(w)  * c^Cw)  - c^(v)  for  any 
subnode  w of  v . In  the  following  statement  of  the  method,  it 
is  assumed  that  a downward  order  has  been  determined  for  the  aet 
G of  all  gate  nodes. 

MODS 

0.  For  all  wgG  , + G U B . 

1.  If  all  nodes  in  G have  been  considered  in  this  step, 
stop.  Otherwise,  select  the  next  node  u e G in  downward 
order. 

2.  If  L and  G have  been  found,  go  to  1.  Otherwise 

u u 

calculate  c (•)  for  all  subnodes  of  u in  N , and 
u u 

M «-  {u}  . 

a.  If  Lv  and  G^  have  been  found  for  all  nodes  v e M , 

go  to  1.  Otherwise  select  v e M for  which  Lv  and 
Gv  are  not  available  , 

b.  Find  and  G^  using  LSM  procedure,  noting  that 

either  v = u or  v is  a simple  module  for  u , so 
cy(w)  ” c^(w)  ~ c (v)  ^or  subnodes  w of  v . 

c.  M M U {w  | w e , w a gate  node}  . For  each 

w e G - {v}  for  which  G is  not  available, 
v w 

N +-  G U L . Go  to  2a. 
w v v 

Note  that  substeps  2a  thru  2c  are  repeated  until  all  simple  modules 
have  been  found  for  node  u chosen  in  Step  1. 

The  process  of  determining  largest  simple  modules  for  each 
gate  node  of  the  tree  of  Figure  1 is  Illustrated: 
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Calculate 


Calculate 


Calculate 


«-  {1,2,3,4,5,6,7,8,9,10,11,12,13,14}  , w e G . 

c^(*)  for  aubnodes  of  node  1 in  . M +■  {1}  . 

Lx  - {5,6,11}  , G - {1,2, 3, 4} 

M {1}  U {5,6} 

N «■  {1,2,3,4,5,6,11}  , w e {2,3,4} 
w 

L5  - {12,13,14}  , Gs  - {5,7,8} 

N 4-  {5,7,8,12,13,14}  , w e {7,8} 
w 

L6  - {9,10}  , G6  - {6}  . 

for  subnodes  of  node  2 in  N2  . M +■  {2}  . 

L2  - {4,5}  , G2  - {2,3} 

M +•  {2}  U {4,5} 

N3  + {2, 3, 4, 5} 

L4  - {6,11}  , Ga  - {4} 

M «-  {2,4,5}  U {6} 

Lg  , Gj  found  previously 

Lg  , Gg  found  previously. 

c3(*)  for  subnodes  of  node  3 in  . M *■  {3}  . 

L3  - {4,5}  , G3  - {3} 

M +■  {3}  U {4,5} 

found  previously 


, G^  found  previously. 
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found  previously. 

Lj  , Gj  found  previously. 

Lg  , Gg  found  previously. 

Calculate  c^(*)  for  subnodes  of  node  7 in  . M +•  {7}  . 

L?  - {12,13}  , G?  - {7}  . 

Calculate  cg(*)  for  subnodes  of  node  8 in  Ng  • M *■  {8}  . 

Lg  - {13,14}  , Gg  - {8}  . 

Stop. 

1.4  Obtaining  Implicant  Families  Associated  with  Modular  Subtrees 

Subsections  1.4.1,  1.4.2,  and  1.4.3  each  suggest  a technique  for- 
deriving  a minimal  implicant  family  associated  with  the  modular 

subtree  with  top  event  i . If  the  subtree  involves  complementing  arcs, 

* A 

then  the  complete  families,  say  , and  , generated  by  each 

of  these  three  methods  may  all  be  different,  though  it  will  be  true  that 
for  every  x , /M^/x  ■ /M^/x  ■ /M^/x  . The  families  produced  by  method 
MSDOWN  of  1.4.1  and  method  MSUP  of  1.4.2  need  not  be  prime  implicant 
families  for  i when  the  subtree  has  complementing  arcs.  The  Nelson 
method  of  1.4.3  always  generates  a prime  implicant  family  or  subfamily 
of  all  prime  implicants  that  agree  with  an  importance  criterion  or  size 
restriction;  however,  this  method  will  often  be  less  efficient  than  MSDOWN 
or  MSUP  when  applied  to  a large  subtree. 

Subsection  1.4.4  speculates  on  the  relative  suitability  of  these 
algorithms  for  particular  applications. 
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T. . 4 .1  Tho  MS  DOWN  Method 


The  spirit  of  this  method  (Modular  Subtree  Downward)  is  akin 
to  that  of  MOCUS,  but  MSDOWN  is  more  intricate  and  more  efficient 
for  most  applications.  The  algorithm  makes  use  of  the  concept 
presented  in  Section  1.1  of  the  dual  of  a family  of  sets  of  positive 
and  negative  integers.  For  purposes  here,  this  concept  requires  some 
additional  comment,  which  is  introduced  by  way  of  an  example. 

Consider  the  fault  tree  of  Figure  3.  Were  the  MOCUS  algorithm 
applied  to  this  tree,  the  process  of  constructing  the  minimal  implicant 
family  1 would  be  represented  by  (with  ■ 1) 


m f X 
Lee{2,3,4,5} 


where  ■ {6, 7, 8, 9} 
D5  - {9,10,13,14}  . 
x - (xltx2 x14) 


, D3  - {7, 8, -9, 10}  , D4  - {7,8,11,12} 

In  a Boolean  context,  the  state  vector 

, and  the  expression  for  / X 

ee{2,3,4,5} 


, and 
is 

P(l,De)/x 


is  a product  of  sums, 


(xfi  + x?  + xg  + xg)  (Xy  + xg 


+ x 


■9  + W (X7  + *8  + X11  + X12}  (X9  + X10  + x13  + X14} 


So  determining  the  product  family  and  minimizing  is  essentially 
equivalent  to  expanding  the  above  expression  into  a sum  of  products 
and  eliminating  nonminimal  products,  as  well  as  products  having  comple- 
mentary pairs  of  variables.  Of  the  256  products,  228  have  no  comple- 
mentary pairs  of  variables,  but  only  16  products  are  minimal. 

Though  the  tree  of  Figure  3 is  contrived,  and  such  trees  do  not 
often  occur  in  practice,  the  point  is  that  if  an  implicant  H with 


43 


a moderate  number  of  gate  events  appears  at  some  time  during  applica- 
tion of  the  MOCUS  procedure,  the  product  family  X V(l  ,D  ) may  be 

eeH 

quite  large,  especially  for  a tree  where  a sizable  proportion  of  the 

l are  1 (OR  relations).  However,  the  family  remaining  after 
e 

minimization  may  be  relatively  small  if  the  immediate  subevent  sets 

D involve  events  associated  with  replicated  nodes.  This  suggests 
e 

that  substantial  effort  could  be  avoided  if  the  family 


m 


[e‘„  W*'V] 


could  be  found  without  generating  all  the  nonminimal  sets  in  the 
product  family. 

From  the  definition  of  the  family  , it  is  clear  from 

Section  1.1  that  d[0(Ze,De)  ] - + l>De)  * where 

is  the  number  of  elements  in  Dg  . Moreover,  d[d[P(&e>De) ] ] * 

,Dg)  . Thus  by  Proposition  1.1.3, 


The  family  in  brackets  on  the  left  requires  about  the  same  amount 
of  effort  to  construct  as  the  families  PUe,D0)  together.  The 
algorithm  given  in  Reference  [17]  finds  the  dual  of  an  arbitrary 
family  F and  is  well  suited  to  our  purposes  here.  Essentially, 
the  algorithm  generates  the  sets  of  d[F]  in  groups,  and  minimization 
is  required  only  among  members  of  the  same  group;  in  fact,  when  finding 
the  dual  of  U - 1 + 1,D  ) the  algorithm  bypasses  minimiza- 

TT  G G G 

eeH 

tion  altogether  if  the  sets  , e e H are  pairwise  disjoint. 
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In  addition,  the  number  of  nonminimal  seta  appearing  during  con- 
struction of  this  dual  will  always  be  less  than  the  number  of  such 

sets  in  X V(le,S&)  , usually  many  times  less.  Use  of  the  dual 
eeH 

algorithm  in  the  manner  suggested  here  to  find  I for  the  tree  of 
Figure  3 requires  only  1/10  the  computation  time  necessary  to 
produce  and  minimize  the  product  family.  The  difference  in  efficiency 
between  the  two  methods  becomes  increasingly  dramatic  as  the  number 
of  sets  in  the  product  family  increases.  It  is  not  hard  to  devise 
examples  where  the  dual  algorithm  generates  the  required  minimal 
family  quite  easily,  but  formation  of  the  product  family  is  computa- 
tionally impossible. 

If  X V(Z  ,D  ) is  small,  say  fewer  than  20  sets,  the  dual 
eeH  6 

algorithm  may  require  somewhat  more  computation  time  than  forming 

and  minimizing  the  product  family,  due  to  the  comparatively  large 

amount  of  computer  code  associated  with  the  algorithm.  However,  in 

this  case,  the  computation  time  required  by  either  method  is  quite 

negligible;  so  in  the  MSDOWN  method,  it  is  not  worth  the  trouble  to 

bypass  the  dual  algorithm  and  derive  and  minimize  the  product  family 

whenever  this  family  has  fewer  than  20  sets. 

The  steps  below  comprise  the  MSDOWN  procedure  applied  to  a 

modular  subtree  with  top  event  i . The  procedure  requires  that  the 

set  Lu  of  largest  simple  modules  for  u ■ |i|  be  available,  as 

well  as  the  set  G of  subtree  nodes  which  are  not  in  L 
u u 
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MSDOWN 

0.  z ■*-  0 , a •<-  0 , u 1 1 1 , W «-  [ { i.}  ] . 

1.  cu(v)  - z)  . 

RZ  {v  j v e-  G U L , c (v)  - z + 1 , v replicated} 
1 u u u 

If  Cz  “ 0 , W H and  stop. 

2.  If  all  H e H that  Intersect  CZ  U (~CZ)  have  been 
considered  previously  in  this  step,  go  to  5. 

Otherwise,  select  H e H with  H 0 (Cz  U (-Cz))  t*  0 


3. 


that  has  not  been  considered. 

a.  For  each  e e U if  e e Cz  U (-CZ)  , 

Je  °<^De  ~ ie  + 1'De)  * and  if  e t ^ U (-C2)  , 

J <-  t(e}]  . 

c 

b.  a a + 1 . 

c.  H 


'•  * d [.£ 


d.  H *■  [H  - [H] ) (J  , go  to  2. 

4.  R «-  [H  | H s H , H n (RZ  U (-RZ))  i*  0]  . 

(R  will  thus  contain  all  H having  a replicated 
subevent  e with  c.  (|e|)  ■ z + 1 .) 

5.  Partition  sets  of  R into  disjoint  families  , 

where  R * R n H and  A consists  of  all  a such 

o-  a 


that  Ra  0 . 

6.  N + [K  - R]  U» 


Vl  *•] 


, go  to  1. 


Following  each  execution  of  Step  1,  events  e c.  H for  any 
implicant  H e H all  satisfy  c (|e|)  >_  z . Steps  3a  thru  3d 
select  each  implicant  He  H having  at  least  one  event  e satisfying 
c (|e|)  * z and  replace  this  implicant  with  a family  . 
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r.v 


1 1 


l 


, 


For  e e H , if  we  let  J ■ D - l + 1,D  ) for  c (lei)  - z 

i!  e e e u 1 1 

and  - [{e.}]  otherwise,  then 

H ■ m f X J I 
a LeeH  aJ 

by  our  earlier  remarks.  Thus  when  Step  4 is  begun,  events  e e H 
for  any  H e H have  c (|e|)  > z . At  this  point,  the  population 
of  events  e with  c (|e|)  ■ z + 1 is  greater  than  in  all  families 
H previously  constructed,  since  no  substitution  for  these  events 
has  yet  occurred.  The  events  which  correspond  to  replicated  nodes 
of  the  subtree  and  satisfy  c (|e|)  ■ z + 1 are  likely  to  be  found 
in  nonminimal  sets  of  ‘ H . So  we  assign  sets  containing  such  replicated 
events  to  the  family  R , and  minimize  only  this  portion  of  H . 
Moreover,  for  any  family  constructed  in  Step  3,  the  intersection 

of  and  R is  minimal  (though  it  may  be  empty),  because  H is 

minimal.  Each  family  of  the  partition  in  Step  5 is  thus  minimal,  so 
the  indicated  minimization  only  requires  comparison  of  each  set  of  a 
family  R^  with  all  sets  in  preceding  families. 

It  is  intuitive  but  not  obvious  that  the  minimization  scheme  in 
this  algorithm  insures  will  be  minimal.  This  is  the  case,  but 

to  establish  this  fact  rigorously  is  tedious  and  not  particularly 
instructive,  so  we  do  not  consider  the  proof. 

Figure  4 shows  the  modular  subtree  for  the  top  node  of  the 
Figure  1 tree.  The  following  example  derives  the  minimal  iraplicant 
family  for  this  subtree  using  Boolean  variables.  The  integer 

in  parentheses  following  a term  is  the  value  a associating  the 
corresponding  implicant  with  the  family  . The  families  R of 


Step  4 and  those  of  the  partitions  of  Step  5 are  also  indicated. 


z +■  1 


Cx  + {11 


R *-  0 


+ x2(l) 
+ xB(l) 
+ x6(l) 


—(/d[  [{1,2,3}]  ]/x> 

R - 0 


z +•  2 C2  f {2}  R2  f 0 


+ *6(1> 

+ x3x4(2)-*-(/d[[{3),{4}]]/x)  ' 

R - 0 


z -i-  3 C3  <-  {3}  R3  +-  (4,5} 

x5(l) 

+ x6(l) 


z 


+ x4<3)—  (/d[[{4},('4,5}]]/x)  

R - [{4}, {5}]  , Rx  - 

•*-  4 {4}  R^  +•  (6} 

xb(l) 

+ x6(l) 

+ x4  — 

+ X ,x,1(4)^(/d[[{-6},{ll}]]/x) 
~0  11 

R - [{6}, (-6,11}]  , R 


[(5})  , R3  - 


l - [(6}]  , R 


[(4}] 


z *■  5 C + 0 Stop. 


-6,11}] 


The  expression  associated  with  /M,/x_  is  thus  xq  + xft  + x_(.x1 1 
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1.4.2  The  MSUP  Method 

The  MSUP  algorithm  resembles  MICSUP  confined  to  a modular  subtree. 
MSUP  is  particularly  suited  to  applications  where  only  a subfamily  of 
important  implicants  or  those  not  exceeding  a fixed  size  is  required 
for  the  subtree  with  top  event  i , rather  than  a complete  family  . 

As  with  MSDOWN,  the  MSUP  method  utilizes  the  set  of  largest 

simple  modules  for  the  subtree  top  node  u - | i | , as  well  as  the 

set  C of  subtree  nodes  not  in  L . In  addition,  MSUP  requires 
u u 

that  sets  Lv  be  available  for  all  v e ; thus,  prior  to  deriving 
the  modular  structure  families  us^n8  MSUP,  it  is  con- 

venient to  apply  the  MODS  algorithm  of  Subsection  1.3.3  to  determine 
the  largest  simple  modules  of  every  fault  tree  gate  event.  Finally, 
MSUP  calls  on  a "downward"  type  subalgorithm  designated  as  ORDOWN 
(substitution  for  OR-relatlons , DOWN ward) . Since  ORDOWN  has  much  in 
common  with  the  MSDOWN  method  of  the  previous  subsection,  we  first 
discuss  this  subalgorithm. 

ORDOWN,  like  MSDOWN,  obtains  an  implicant  family  for  j 

a top  event  of  a modular  subtree.  However,  the  events  in  implicants 
of  the  family  need  not  correspond  to  largest  simple  modules  for 

Che  subtree  top  node  v * |j|  . The  method  is  outlined  as  follows: 

ORDOWN 

0.  a 0 , v «-  j j | , H *■  [{j }]  . 

1.  C {v}  U {w  | w c Gv  , l - 1}  . 

2.  If  all  H e H that  intersect  C U (-C)  have  been  considered 
previously  in  this  step,  go  to  4.  Otherwise  select  H s H 
with  H H (C  U (— C)  + 0 that  has  not  been  considered. 
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3.  a.  For  each  e e H , if  e e C U (-C) 

Ja  t-  £>(// D - JL  + 1,D  ) , and  if  e t C U (-C)  , 

Je  - [fe}]  . 

b . a a + 1 . 

c.  H ■+■  d I U J I . 

a LeeH  £J 

d.  H +•  [H  - [ H ] ] U and  go  to  2. 

4.  Partition  sets  of  H into  disjoint  families  H ■ H f|  H and 

a a 

let  A consist  of  all  a such  that  H 0 . 

ct 

5.  W.  +■  m U H I and  stop. 

j L«eA  "J 


Note  that  each  H is  minimal,  since  H arises  from  a single 
a a ° 

application  of  the  dual  algorithm;  thus,  the  minimization  in  Step  5 

A 

involves  comparing  sets  in  H ^ only  with  sets  in  preceding  families 
of  the  union. 

The  form  of  this  method  is  somewhere  between  HOCUS  and  MSDOWN, 
but  its  important  feature  is  the  set  C of  Step  1 which  controls 
event  substitution  in  iraplicanta  of  H . Substitution  for  the  top 
event  j is  always  done,  but  a subsequent  event  e appearing  in  sets 
of  H that  is  not  a largest  simple  module  for  j may  only  be 
replaced  by  P(£e,De)  if  ■ 1 , that  is,  if  xg  is  represented 
by  an  OR  relation  between  immediate  subevent  variables.  One  effect 
of  this  restriction  is  that  no  set  of  the  family  M will  contain 
more  events  than  a set  in  the  top  event  definition  family,  V(HyD^)  , 
though  N will  usually  contain  more  sets  than  the  definition  family. 
A second  effect  is  that  events  in  implieants  of  M are  more  likely 
to  correspond  to  largest  simple  modules  for  4 than  events  in  , 
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Chough  1C  may  happen,  of  course,  that  and  P(Jlj,Dj)  are  the 

same.  The  motivation  for  producing  families  Wj  for  aelected  gate 
events  j of  the  modular  subtree  will  be  discussed  in  connection 
with  Che  MSUP  method. 

For  a large  modular  subtree  with  top  event  j , sets  of 
will  usually  involve  only  events  for  nodes  near  the  top  of  the  subtree, 
and  in  such  a case,  it  is  to  be  expected  that  Wj  will  contain 
many  fewer  sets  that  the  family  produced  by  the  MSDOWN  method. 

For  this  reason,  the  more  elaborate  minimization  scheme  of  MSDOWN 
has  not  been  included  In  ORDOWN.  However,  MSDOWN  can  be  modified 
to  produce  the  family  instead  of  by  changing  the  formation 

of  the  set  Cz  in  Step  1 of  that  algorithm. 

For  event  1 of  the  Figure  1 tree,  ORDOWN  proceeds  in  this 
fashion: 


C * {1,3} 


+ x2(l) 

+ x5(l) 

+ X6U) 

(No  set  in  H - [{2} ,{5} , { 6 } ] intersects  C) . 
H.l  “ " Ct2>  ,C5},{6>]  . 


(-^</d![U,2,3}]]/x) 


Stop. 
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The  expression  associated  with  /N^/x  is  x2  + x5  + x6  ’ Hence, 
for  this  example  ■ P(£^,D^)  . But  for  event  5,  ORDOWN  gives 

/W^/x  as  xj_2x]_4  + x2  3 * 

To  find  the  minimal  family  in  terms  of  largest  simple 

module  for  event  i , the  steps  of  the  MSUP  algorithm  are  as  follows: 

MSUP 

0.  F { i}  , u <-  | i | . 

1.  If  all  events  j e F have  been  considered  previously 

in  this  step,  go  to  4.  Otherwise  select  j £ F not  yet 
considered . 

2.  Determine  the  family  by  applying  algorithm  ORDOWN 

to  the  modular  subtree  with  top  event  J . 


i 


fi 

P..  . 


3.  F + F U te  | e 6 E(Nj)  ’ e n0t  a ^ar8e8t  simple  module  for  i}  . 
Go  to  1. 

4.  Consider  events  ] e F in  upward  order  (so  any  event  of 

F follows  its  subevents),  constructing  families  in 

this  manner:  If  all  events  in  E(N^)  are  largest 
simple  modules  for  j , 

K +•  U X K , 

^ NeW^  neN  n 

where  K = [ { n > ] if  n £ L . If  not  all  events  in 
n u 
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E(Nj)  appearing  in  Steps  3 and  4 is  the  set  of  all  events  appearing 
in  at  least  one  implicant  of  . Also,  though  the  facility  for 
impllcant  elimination  based  on  an  importance  criterion  or  size 
limitation  has  not  been  included  in  this  outline  of  MSUP,  elimina- 
tion may  be  carried  out  in  Step  4 .just  as  indicated  in  Subsections 
1.2.2  and  1.3.2  with  regard  to  the  MICSUP  method. 

The  families  generated  in  Step  4 are  all  in  terms  of 

largest  simple  modules  for  event  i . In  fact,  if  in  Step  2 the 
ORDOWN  procedure  is  ignored  and  *■  P(J1,j,Dj)  , then  the  resulting 
method  is  the  MICSUP  procedure  applied  to  the  modular  subtree  for 
event  i , with  the  exception  that  information  concerning  simple 
modules  guides  minimization  in  Step  4.  The  incentive  for  obtaining 
Nj  from  the  ORDOWN  algorithm  is  threefold:  First,  sets  of  are 

more  likely  to  contain  only  simple  modules  for  j than  sets  of 
PUj.Dj)  , so  there  is  leas  likelihood  that  minimization  will  be 
required  when  is  constructed.  Secondly,  since  we  are  ultimately 

interested  in  the  implicant  family  (■  M^)  , construction  of 
implicant  families  for  other  events  in  the  subtree  for  event  i should 
be  avoided  if  possible.  Use  of  ORDOWN  usually  leads  to  a smaller  set 
of  events  F at  the  beginning  of  Step  4 than  if  were  set  to 

PUj.Dj)  , since  an  OR  gate  event  e e Dj  , not  a simple  module  for 
some  other  event  in  F , would  not  appear  in  F . Finally,  the  sets 
of  Nj  are  no  larger  than  those  of  P(Jlj,Dj)  , so  implicant  elimination 
based  on  size  or  importance  in  Step  4 is  no  more  difficult  than  in 


MICSUP. 
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For  event  1 of  the  tree  of  Figure  1,  repeating  Steps  1,  2,  and  3 
of  HSUP  yielda  families  , and  represented  by  the  Boolean 

expressions: 


X1  " X2  + X5  + X6 


x2  - x4 


x4  “ X-6X11  ‘ 


The  set  F (in  proper  order)  is  {4,2,1}'  . Since  4 is  a simple 
module  for  2,  minimization  is  only  done  when  is  found: 


X4  " X-6X11 


X2  * X4 


X-6X11 


X1  “ X-6X11  + X5X6  * 
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1.4.3  The  Nelson  Method 

Associated  with  any  given  fault  tree  is  a dual  tree,  which 
differs  from  the  original,  or  primal  tree,  only  in  the  value  of 
gate  node  logic  indicators.  If  is  the  logic  indicator  for  node 

u of  the  primal  tree,  then  0D  -1+1  Is  the  corresponding  logic 
indicator  for  the  same  node  of  the  dual  tree.  Of  course,  for  trees 
having  only  AND  and  OR  logic,  the  dual  tree  i3  easily  obtained  from 
the  primal  by  changing  each  AND  gate  to  an  OR  gate  and  vice-verBa. 

Since  the  defining  families  and  P(//Du  - &u  + 1,D  ) , 

for  gate  event  u of  the  primal  and  dual  treee,  are  dual  families, 
Proposition  1.1.1  of  Section  1.1  indicates  that  for  all  x . 

/V ( //D  - l + 1,D  )/(l-x)  - 1 -/!?(«,  ,D  )/x  . 

'u  u u — — u u — 

This  holds  for  all  u e G , so  for  any  vector  x consistent  with 
the  primal  tree,  in  the  sense  of  Section  1.2,  the  vector  _1  - x 
is  consistent  with  the  dual  tree;  that  is,  for  all  u e G , 

/V(V D - 2.  + 1,D  ) / (1  - x)  « 1 - x . 

u u u — — u 

Were  the  MSDOWN  (or  MSUP)  method  applied  to  the  modular  subtree  for 
event  i in  each  of  these  trees  to  obtain  a.  family  for  the  dual  tree 

and  a family  for  the  primal,  then  for  all  x consistent  with 

the  primal  tree  it.  would  be  the  case  that 

/M^/U-x)  - 1 - /Mi/x  . 
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So  again  by  Proposition  1.1.1,  the  dual  family 


• <■[<]■ 


associated 


with  would  satisfy,  for  all  x consistent  with  the  primal  tree, 


/d^J/x  ■ /W^/x 


Thus  we  nee  another  way  to  construct  a minimal  lirplicant  family  W 
from  the.  modular  subtree  for  event  i : Apply  the  MSDOWN  (or  MSUP) 
algorithm  to  obtain  a complete  minimal  family  for  the  dual 

modular  subtree  for  event  i , and  then  construct  the  dual  family, 


{<]  , 


associated  with  M, 


This  procedure  may  not  always  be  successful  in  practice.  The 
first  problem  involves  obtaining  ; this  may  not  be  possible  if 
the  modular  subtree  for  i is  large,  since  must  be  a complete 

minimal  family,  and  a subfamily  of  important  or  Bize  restricted  sets 
is  not  adequate.  Secondly,  even  when  can  be  generated,  con- 

struction of  djVj|J  “ay  be  difficult.  There  is  a well-known  argument 
that  a "good"  algorithm  for  finding  the  dual  family  for  an  arbitrary 
family  will  probabily  never  be.  devised  [1],  [15];  a "good"  algorithm 
would  be  such  that  the  effort  required  could  be  bounded  in  all  cases 
by  a fixed  polynomial  in  the  number  of  sets  in  the  dual  family  or 
the  number  of  elements  composing  these  sets.  This,  however,  is  not 
intended  to  suggest  that  all  algorithms  for  constructing  dual  families 
are  equally  "bad." 

The  dual  algorithm  given  in  [17]  and  previously  recommended  for 
use  in  MSDOWN  and  ORDOWN  methods  has  worked  well  for  obtaining  d^M^J 
in  a number  of  applications,  some  involving  quite  large  modular  subtrees. 
This  algorithm  also  permits  set  elimination  based  on  importance  and 
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size  criteria  to  be  utilized  to  considerable  advantage  in  constructing 
a subfamily  of  all  important  sets  of  d or  those  not  exceeding 
a fixed  size.  In  fact,  if  the  complete  family  is  available, 

adequate  size  and  Importance  restrictions  can  almost  always  be  chosen 
to  insure  that  some  subfamily  of  d|M^j  will  be  found  with  a moderate 
amount  of  computational  effort. 

In  some  instances  where  this  method  has  been  applied  to  large 
subtrees,  the  process  of  obtaining  and  then  implicants  of 

n0t  excee<^n8  size  has  proven  to  be  several  times  faster 

than  employing  the  MSUP  algorithm  to  find  the  family  with  the 

same  size  restriction.  These  example  subtrees  did  not  contain 
complementing  arcs;  thus,  in  each  case  the  subfamilies  generated  by 
che  two  methods  were  the  same.  One  subfamily  involved  1000  sets, 
so  the  difference  In  effort  required  by  the  two  methods  can  be 
significant.  However,  it  is  well  to  note  that  families  for  the 

dual  subtrees  all  had  less  than  50  sets,  though  some  of  these  sets 
consisted  of  more  than  25  events. 

When  the  modular  subtree  for  an  event  i contains  complementing 
arcs,  df/Vl^l  will  usually  not  be  the  same  family  as  that  produced 
by  the  MSDOWN  or  MSUP  method.  For  instance,  » [{5,6,11}]  for 
event  1 of  the  example  tree  of  Figure  1,  so  dfl^  “ [{5}, {6}, {11}]  , 


which  differs  from  « [{ 5} , {6} , {-6 ,11} ] obtained  by  MSDOWN  and 


I i 
I i 
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for  finding  a prime  implicant  family  for  ehe  Boolean  function  / F/  , 
given  an  arbitrary  family  F of  subsets  of  U U (-U)  (where  U , 
as  usual,  is  some  set  of  consecutive  positive  integers,  say 
{1,  q}).  It  turns  out  that  P ■ d [ d [ F ] ] is  the  required  family. 

One  way  to^ prove  this  is  to  show  that  d[F]  is  a prime  implicant 
family  for  the  function  /d(F]/  , which  can  be  done  by  demonstrating 
that  if  there  is  a proper  subset  of  some  P e d[F]  such  that  this 
subset  implies  /d[F]/  , then  there  is  an  x - (x^,  x^)  such 

that  both  /d[F]/jL  - x • 1 and  / F/ jt  <*  1 , contradicting 
Proposition  1.1.1.  Our  version  of  this  technique  is  to  find 
d[d[M  ]]  by  replacing  d[M^]  with  the  minimal  family  , obtained 
through  application  of  MSDOWN  or  MSUP  to  the  dual  modular  subtree 
for  i . Though  in  general  j*  d[M^]  , it  is  true  that 


|[mJ]  - d[d[M±] 


Letting  P^  represent  the  prime  implicant  for  event  .1  in 
terms  of  largest  simple  modules  for  j , the  collection  ^j^)cM(Q) 
may  uow  be  derived  by  utilizing  the  Nelson  method  when  the  modular 
subtree  for  j involves  complementing  arcs,  and  any  one  of  the 
methods  MSDOWN,  MSUP,  or  Nelson  when  complementing  arcs  are  absent. 
Suppose  families  in  terras  of  basic  events  are  generated  in  the  manner 
of  Subsection  1.3.2;  that  u.s,  events  j e M(Q)  are  considered  in 
upward  order  and  each  basic  event  family  is  generated  by 


I.  +•  U XI. 
J P ePj  peP  p 
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Intuitively,  it  would  seem  that  these  basic  event  families  should 
also  be  prime  implicant  families,  and  this  is  in  fact  the  case. 

Also,  since  the  dual  algorithm  is  capable  of  constructing  a sub- 
family P*  consisting  of  all  sets  of  d|V]jJ  satisfying  a size 
or  importance  restriction,  the  remarks  of  Subsection  1,3.2  extend 
in  an  obvious  way  to  fault  trees  with  complementing  arcs.  Thus  a 

collection  { P ! } , ot  subfamilies  may  be  obtained  such  that  P! 

j JeM(Q)  j 

is  a basic  event  subfamily  of  all  important  prime  implicants  or  those 
not  exceeding  some  fixed  size. 

To  conclude  this  subsection,  we  note  that  the  efficiency  of 
finding  a prime  implicant  family  in  the  manner  suggested  by  d [ d [ F ] ] 
greatly  depends  on  the  particular  technique  utilized  to  construct 
dual  families.  Sometimes  the  name  "Nelson's  Algorithm"  is  applied  to 
a detailed  procedure,  also  called  the  method  of  double  complements , 
which  is  not  noted  for  being  very  efficient.  Thi3  procedure  begins 
with  a Boolean  expression  in  sum-of-products  form,  for  example, 

x^x^  + x^x^x^  + . 

The  expression  is  complemented  and,  using  DeMorgan's  Law,  converted 
to  a product  of  sums: 

(x1  + x2)(x2  + x3  + x^)(x3  + x^)  . 

Next,  a sum  of  products  is  obtained  by  expanding  and  eliminating  products 
which  are  not  minimal  or  contain  complementary  pairs  of  variables: 

x^x^  + x]x3  + 52x3  . 
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Thia  last  expression  is  again  complemented,  repeating  the  above 
steps  to  yield 


x^2  + xi_x3  + x2x'l  + X4X3  ' 

In  our  notation,  P - [ {1 ,2} , {1, 3} , {-2 ,3} , { 3 ,-4} ] is  then  a prime 
implicant  family  for  the  function  / F/  , where  F ■ [{1,2} ,{-2,3,4} , 
{3,-4}]  . . 

The  effort  required  by  the  double  complement  method  increased 

very  rapidly  as  the  size  of  F increases.  Hulme  and  Worrell  [8] 

considered  the  following  sum  of  twenty  products: 

x1x6x?xg  + x2x6x?x8  +■  x1x3x^x6  + XjXgX  Xg 

+ X^X^XgX.^  + X^X^X^Xg  4-  XgXgXgXg  + Xj^X^Xg 

+ Xj^XgXgXg  + X2X^X3Xg  4"  4"  X^X^X^Xg 

+ XgX^X7Xg  + XgXyXgXg  + X2X^X3X7  + X2X3X6X7 

+ X^X^XyXg  + X^X,XgXg  + XjXgXgXg  + XgX^XgX^  . 


They  terminated  the  double  complement  method  after  more  than  6000 
seconds  of  CPU  time  on  a CDC  6600  computer  without  obtaining  the 
prime  implicants  associated  with  this  expression.  Using  a general 
factorization  scheme,  they  were  able  to  find  the  87  prime  implicants 
in  about  400  CPU  seconds. 

This  sum-'Of-products  expression  can  be  represented  as  a fault 
tree  In  the  manner  indicated  by  the  Introductory  example  of  Subsection 
1.4.1  (Figure  3):  Subscripts  of  expression  variables  are  associated 
with  basic  nodes,  a separate  gate  node  with  AND  logic  is  created  for 


each  product,  and  the  top  node  is  an  OR  relation  between  these  gate 
nodes.  The  MSDOWN  method  then  essentially  finds  by  applying 

the  dual  algorithm  to  a family  F of  twenty  sets,  where  each  set 
is  composed  of  variable  indices  in  one  of  the  above  products,  so 
df^topj  ^oun<*  tw0  ®ajor  applications  of  the  dual  algorithm. 

The  FTAP  program,  implemented  on  a CDC  6400  computer  (which  is 
roughly  comparable  in  speed  to  the  CDC  6600) , required  less  than 
6 CPU  seconds  to  find  the  87  prime  implicants. 

1.4.4  1 Comments  on  the  Choice  of  Method 

The  question  naturally  arises  as  to  which  of  the  three  methods 
of  this  .section  is  "best"  for  a particular  modular  subtree.  When 

l 

the  subtree  Is  small,  say  fewer  than  2b  gate  nodes,  these  methods 
will  not  often  differ  widely  in  computational  efficiency,  and  any 
of  the  algorithms  is  appropriate,  unless  the  subtree  has  complementing 
arcs,  in  which  case  the  Nelson  method  is  usually  preferable  because 
it  produces!  a prime  implicant  family.  On  the  other  hand,  when  the 
subtree  is  large,  say  more  than  50  gate  nodes,  it  is  usually  difficult 
to  predict  the  relative  efficiency  of  these  methods.  The  analyst  may 
have  to  rely  on  trial  and  error  or  previous  computational  experience 
with  simila'r  subtrees,  combined  with  a few  general  considerations 
discussed  here. 

Let  us,  first  assume  that  the  modular  subtree  contains  no  comple- 
menting arcs.  MSDOWN  or  MSUP  will  most  likely  be  selected  in  this 

I 

case.  MSDOWN  is  intended  for  use  when  the  complete  minimal  implicant 
family  M is  required,  and  is  apt  to  be  more  suitable  for  this 
purpose  than  the  MSUP  method,  especially  when  a moderate  or  large 
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number  of  replicated  nodes  are  somewhat  evenly  distributed  throughout 
the  subtree.  The  general  "downward"  method,  as  well  as  the  dual 
algorithm  incorporated  with  MSDOWN,  then  offers  some  protection 
against  the  sudden  appearance  during  processing  of  an  unmanageable 
number  of  nonrainimal  sets.  However,  if  the  subtree  contains  a small 
number  of  replicated  nodes,  MSUP  may  be  the  faster  of  the  two  methods 
for  finding  the  complete  family,  but  the  difference  in  efficiency 
will  probably  not  be  dramatic.  MSUP,  of  course,  is  primarily  intended 
for  use  in  deriving  a subfamily  of  consisting  of  important  or  size 

restricted  sets. 

The  Nelson  method  may  seem  superfluous  for  a subtree  without 
complementing  arc3,  but  when  Che  complete  minimal  family  for  the 

dual  modular  subtree  has  significantly  fewer  setG  than  the  primal 
family  , this  method  is  apt  to  surpass  MSDOWN  or  MSUP.  Of  course, 
for  the  Nelson  method  to  be  successful,  It  is  first  essential  that 
MSDOWN  (or  MSUP)  be  capable  of  finding  . One  clue  that  suggests 
might  be  small  is  a predominance  of  subtree  gate  nodes  with  OR 
login . A more  formal  approach  Is  to  calculate  rough  upper  bounds 
Bj  and  3^  , called  subtree  binary  indicated  impliaant  counts,  on  the 
number  of  sets  in  and  ; a simple  procedure  for  computing  3^ 

and  3^  is  given  below.  For  subtrees  without  complementing  arcs, 

3.^  and  3^  are  the  same  as  counts  of  binary  indicated  cut  seta  and 
binary  indicated  path  sets  defined  by  Chatterjee  [3],  as  long  as  the 
modular  subtree  is  treated  as  an  independent  fault  tree  in  the  latter 
definitions,  with  largest  simple  modules  for  the  subtree  top  event 
representing  basic  nodes.  As  a first  approximation,  it  is  usually 
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reasonable  to  suppose  that  3^  exceeds  the  number  of  sets  in 

by  one  or  maybe  two  orders  of  magnitude.  When  the  complete  family 

ca.i  be  generated,  it  may  be  feasible  to  find  all  of  the  implicants 

of  d|M^J  or  perhaps  only  those  satisfying  an  importance  or  size 

constraint.  The  Nelson  method,  with  size  or  importance  elimination 

enabled  when  applying  the  dual  algorithm  to  M“  , can  be  considerably 

faster  than  the  MSUP  method  for  obtaining  the  desired  subfamily. 

Quantities  3u  and  6 are  defined  for  a modular  subtree  with 

top  node  u ; for  i * +u  or  i <*  -u  , 3°  = B ^ . For  generality, 

we  allow  the  subtree  to  contain  complementing  arcs.  Suppose  che  MOCUS 

and  MICSUP  methods,  as  discussed  in  Subsection  1.2.2,  were  modified 

to  inhibit  minimization.  If  then  applied  to  the  modular  subtree, 

with  largest  simple  modules  for  u treated  like  basic  events,  both 

methods  would  produce  the  same  nonminimal  family  B^  or  8 ^ in 

terms  of  largest  simple  modules  for  u . Families  and  8 ^ are 

called  subtree  binary  indicated  impliaant  families.  Fortunately, 

the  number  of  sets  in  these  families  is  easy  to  compute  without 

deriving  the  families  themselves:  3 and  B are  these  counts. 

u -u 

When  the  modular  subtree  involves  no  complementing  arcs, 

and  M are  unique  prime  implicant  families,  with  M C 8^  and 

M C 8 , so  3 and  3 are  upper  bounds  for  the  number  of  sets 

-u  --  -u  u -u 

in  and  M . Moreover,  in  the  absence  of  complementing  arcs, 

che  families  and  associated  with  the  dual  subtree  are 

u -u 

also  unique,  and  for  i » +u  or  i ■ -u  , can  be  obtained  from 
M i by  replacing  each  event  j in  an  implicant  of  by  its 

complementary  event  -j  . Thus  6_^  is  also  an  upper  bound  on  the 
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size  of  . On  the  other  hand,  when  the  modular  subtree  contains 
complementing  arcs,  the  family  M determined  by  algorithm  MSDOWN 
or  MSUP  is  generally  not  a prime  implicant  family  for  i , and  it 
cannot  be  argued  that  C 8^  . However,  for  all  practical  purposes, 
it  will  very  rarely  be  the  case  that  the  number  of  sets  in 
exceeds  the  number  of  sets  in  8^  . 

Quantities  8^  and  8 are  determined  by  the  following  rapid 

procedure:  For  each  node  v that  is  a largest  simple  module  for 
the  subtree  top  node  u Bv  ■*-  1 and  8 1 . Consider  nodes  in 

, the  set  of  subtree  nodes  that  are  not  largest  simple  modules, 
in  upward  order.  For  v e , 


l 11  \ 

KeP(Jlv,Dv)  keK 


S-v"  l 11  Bk 

KeP(#Dv-4y+l,D_v)  keK 


The  last  values  calculated  are  8 and  8 

u -u 

Finally,  a few  comments  should  be  directed  toward  application 
of  MSDOWN,  MSUP,  and  Nelson  methods  to  subtrees  which  contain  comple- 
menting arcs.  The  workload  for  each  algorithm  is  about  the  same 
as  when  complementing  arcs  are  absent.  However,  the  complete 
implicant  family  produced  by  MSDOWN  or  MSUP  is  no  longer 

guaranteed  to  be  a prime  implicant  family  for  i . For  some  fault 
tree  applications,  this  may  be  acceptable,  or  the  analyst  may  wish 
to  obtain  and  from  it  generate  a prime  implicant  family  by  any 

of  a large  variety  of  prime  implicant  algorithms  available  in  the 
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literature;  for  example,  see  [14].  Of  course,  implicant  elimination 
based  on  size  or  importance  should  not  be  used  in  conjunction  with 
MSUP  to  obtain  a subfamily  of  ^ . A size  or  importance  criterion, 
however,  can  be  utilized  to  good  advantage  with  the  Nelson  method. 

As  remarked  above,  the  quantity  0^  (=  0^)  can  usually  be  assumed 
to  exceed  the  number  of  sets  in  the  family  produced  by  MSDOWN 

(or  MSUP)  for  the  dual  subtree.  So,  as  before  if  0^  is  not:  too 
large,  the  Nelson  method  will  probably  be  feasible. 
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PART  II 

USE  OF  THE  FAULT  TREE  ANALYSIS  PROGRAM 

FTAP  is  a general  purpose  computer  program  for  fault  tree  analysis 
employing  the  methodology  of  Sections  1.3  and  1.4.  The  bulk  of  the 
program  consists  of  about  3500  FORTRAN  statements,  segmented  into  a 
driver  routine  and  about  40  subroutines.  Assembler  code  performs 
several  simple  operations  that  cannot  be  done  in  the  conte.xt  of 
standard  FORTRAN.  The  FORTRAN  portion  of  FTAP  is  compatible  with 
nearly  all  FORTRAN  compilers,  but  assembler  routine  packages  arc 
currently  available  only  for  CDC  6600/7600  and  IBM  360/370  series 
machines.  However,  versions  of  chese  routines  can  easily  be  prepared 
in  any  assembler  language  according  to  specifications  given  in 
Section  II. 6. 

Considerable  effort  has  been  expended  to  insure  that  FTAP  will 
be  easy  to  use.  The  input  format  is  direct  and  unified,  and  input 
data  is  completely  checked  for  correctness  and  consistency.  Error 
messages  are  detailed,  allowing  the  user  to  promptly  identify  problems 
involving  program  input  or  execution.  Also,  an  ample  number  of 
comment  cards  are  interspersed  with  the  FORTRAN  source  statements  to 
describe  the  code  in  terms  of  the  algorithms  of  Part  I;  notation  used 
for  these  comments  is  intended  to  resemble  the  notation  scheme  of 
Sections  1.3  and  1.4.  Finally,  FTAP  has  been  extensively  tested  for 
reliable  operation. 

Sections  II. 1 through  II. 4 below  describe  program  input  and 
output;  Section  11,5  discusses  the  general  procedure  for  implementing 
FTAP  at  a computer  installation. 
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II. 1 General  Input  Structure 

The  smallest  logical  units  of  input  data  are  called  program 
instructions , each  of  which  is  usually  confined  to  a single  80- 
column  punched  card,  though  some  instructions  may  be  continued  on 
additional  cards.  Program  instructions  are  classified  according  to 
three  major  groups:  gate  node  definition,  option,  and  execution. 

Gate  node  definition  instructions  specify  a fault  tree  for 
analysis.  These  are  always  read  first  by  the  program,  and  if  they 
are  free  of  errors,  a representation  of  the  fault  tree  is  stored  in 
main  memory.  Errors  in  fault  tree  specification  are  messaged  and 
cause  processing  to  terminate. 

One  or  more  option  instructions  may  follow  fault  tree  specification, 
and  information  provided  by  these  instructions  is  checked  and  stored. 
Options  allow  the  user  to  (1)  modify  the  fault  tree,  (2)  select 
arbitrary  gate  nodes  for  which  implicant  families  are  to  be  found, 

(3)  specify  the  methodology  for  obtaining  implicant  families, 

(4)  enable  implicant  elimination  on  the  basis  of  size  or  importance, 
and  (5)  control  program  printed  and  punched  output. 

The  next  card  to  be  read  after  the  option  group  is  an  execution 
instruction,  which  may  be  one  of  the  two  types  we  shall  designate  as 
*TREE  and  *XEQ.  The  *TREE  instruction  invokes  an  FTAP  procedure  that 
produces  a structural  description  of  the  fault  tree,  essentially  by 
listing  modular  subtrees  and  binary  indicated  implicant  counts.  The 
*XEQ  instruction  begins  the  operation  of  obtaining  implicant  families. 
Option  instructions  affect  the  processing  initiated  by  an  immediately 
following  *TREE  or  *XEQ  instruction,  and  this  processing  will  be 
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referred  to  as  a Pun.  Multiple  runs  are  permitted;  when  a run  is 
completed,  Che  program  reinitialises  all  memory  locations  except 
those  associated  with  the  input  fault  tree,  so  a group  of  options 
and  an  execution  instruction  for  a new  run  may  follow  the  execution 
instruction  for  the  previous  run.  Options  for  a given  run  in  no 
way  affect  other  runs.  The  input  data  package  for  the  FTAP  program 
therefore  has  this  general  form: 

fault  tree  specification 
run  1 option  instructions 
run  1 *TREE  or  *XEQ  instruction 
run  2 option  instructions 
run  2 *TREE  or  *XEQ  instruction 

run  n option  instructions 

run  n *TREE  or  *XEQ  instruction. 

For  convenience,  the  same  80-column  card  format  is  used  for 
all  instructions  and  consists  of  eight  fields  across  the  width  of 
the  card.  A particular  instruction,  however,  will  typically  utilize 
only  information  punched  in  certain  of  these  fields.  Field  1 is 
composed  of  card  columns  1-8.  Fields  2 through  8 consist,  respectively, 
of  columns  11-18,  21-28,  31-38,  41-48,  51-58,  61-68,  and  71-78. 

The  entry  in  field  1 is  either  a gate  node  name  or  an  instruction 
name,  lef t-justif ied  in  the  field.  FTAP  automatically  numbers  fault 
tree  nodes  with  positive  integers  in  the  scheme  of  Part  I and  allows 
the  analyst  the  luxury  of  choosing  names  to  replace  these  node  numbers 
on  program  input  and  printed  output.  Node  names  may  consist  of  any 


combination  of  eight  or  less  characters.  Instruction  names  are  fixed 
strings  of  eight  or  less  characters  and  are  discussed  in  Section  II. 4 

Depending  on  the  instruction,  the  entry  in  field  2 is  either  a 
positive  integer,  a decimal  number  in  a FORTRAN  E or  F format, 
or  one  of  the  special  characters  plus  (+)  or  asterisk  (*).  An 
entry  may  appear  anywhere  in  field  2,  except  for  an.  E-format  decimal 
number,  which  must  be  right-justified. 

Entries  in  fields  3 through  8 are  again  names  of  fault  tree 
nodes,  left-justified  in  these  fields.  The  dash  (-)  may  appear  in 
any  of  the  columns  20,  30,  40,  50,  60,  or  70  if  the  field  immediately 
to  the  right  of  the  column  contains  a node  name.  Dashes  represent 
event  complementation. 

II. 2 Fault  Tree  Specification 

The.  input  fault  tree  is  specified  through  a series  of  gate 
node  definition  instructions  arranged  in  any  order  and  followed  by 
a card  with  the  string  "ENDTREE"  lef t-justif led  in  field  1. 

For  a gate  node  u , the  associated  definition  instruction  provides 
the  value  Z of  the  logic  indicator  and  the  set  D of  Immediate 
subevents.  The  first  card  of  the  instruction  contains  the  node  name 
in  field  1 and  names  of  immediate  subnodes  in  fields  3 through  8. 

At  least  one  subnode  must  appear,  and  no  two  fields  may  contain 
the  3ame  name.  If  node  u is  joined  to  an  immediate  subnode  by  a 
complementing  arc,  a dash  should  precede  that  particular  subnode  name 

The  logic  indicator  value  Z^  is  a positive  integer  that  may 
be  placed  anywhere  in  field  2;  of  course,  l may  not  exceed  the 
number  of  immediate  subevents.  Optionally,  either  of  the  special 
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characters  plus  or  asterisk  may  be  used  in  field  2,  with  a plus 
signifying  a value  of  1 for  l (an  OR  relation  between  subevent 
variables),  and  the  asterisk  signifying  a value  for  equal  to 

the  total  number  of  subeventa  (an  AND  relation). 

When  a node  has  more  than  six  immediate  subevents,  additional 
subevent  names  may  be  entered  in  fields  3 through  3 on  one  or  more 
cards  which  follow  the  first  card  and  continue  the  gate  node  definition. 
Fields  1 and  2 on  continuation  cards  are  to  be  left  blank.  There  is 
no  restriction  on  the  total  number  of  immediate  subevents. 

As  an  example  of  fault  tree  specification,  we  consider  again  the 
tree  of  Figure  1,  redrawn  in  Figure  5 with  an  unimaginative  choice  of 
node  names.  The  tree  is  specified  as  follows  (where  each  line  is  to 
be  interpreted  as  a separate  card): 


Col.  1 

1 

11 

1 

21 

1 

31 

1 

T 

TOP 

t 

+ 

T 

G2 

T 

G5 

G2 

k 

G3 

G4 

G3 

+ 

G4 

G5 

G4 

k 

-G6 

Bll 

G5 

k 

G7 

G8 

G6 

•k 

B9 

BIO 

G7 

+ 

B12 

B13 

GS 

ENDTREE 

+ 

B13 

B14 

More  than  one  fault  tree  can,  in  fact,  be  specified  by  a group  of 
gate  node  definitions.  For  instance,  if  the  instructions  for  TOP,  G2, 
and  G3  were  deleted  from  the  above  list,  FTAP  would  still  accept  the 
remaining  instructions,  though  they  represent  two  distinct  trees  with 
top  nodes  G4  and  G5. 
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II. 3 Execution  Instructions 

In  soma  applications,  the  analyst  may  not  wish  to  include  any 
option  instructions  Ear  a run;  a *TREE  or  *XEQ  instruction  should  then 
immediately  succeed  the  ENDl'REE  card  or  the  execution  instruction 
for  the  previous  run.  An  execution  instruction  consists  simply  of  the 
name  "*XEQ"  or  "*TREE"  left-justified  In  field  1.  In  the  absence  of 
options,  FTAP  responds  to  a *XEQ  instruction  by  seeking  a minimal 
implicant  family  in  terms  of  basic  events  for  the  fault  tree  top  node. 
FTAP  responds  to  a ’"'TREE  instruction  by  performing  a structural  analysis 
of  the  input  tree  and  printing  three  types  of  information:  (1)  a 
representation  of  the  tree,  which  is  similar  to  a listing  of  gate  node 
specification  instructions;  (2)  an  "inverse"  tree,  which  identifies, 
for  each  gate  or  basic  node  u , the  set  of  immediate  supernodes  of  u ; 
and  (3)  a representation  of  each  modular  subtree  whose  top  node  is  a 
simple  module  for  the  fault  tree  top  node.  Binary  indicated  implicant 
counts  are  also  printed  for  each  modular  subtree  and  Its  dual. 

As  an  illustration,  assume  that  'the  ENDTREE  card  of  the  example 
tree  specification  is  followed  by  the  two  instructions: 

■-''TREE 

*XEQ  . 

Output  for  the  first  run  begins  with  the  tree  representation: 


TREE  FOR  ANALYSIS 


(B)  PRECEDES  BASIC  EVENTS 
NODE  LOGIC  SUBEVENTS 


TOP 

1 

G2 

G5 

G2 

2 

G3 

G4 

G3 

1 

G4 

G5 

G4 

2 

-G6 

(B) 

Bll 

G5 

2 

G7 

G8 

G8 

1 

(B) 

B13 

(B) 

B14 

G7 

1 

(B) 

B12 

(B) 

B13 

G6 

2 

(B) 

B9 

(B) 

BIO 

Next  we  obtain  the  "inverse  tree": 


INVERSE  TREE 

NODE  IMMEDIATE  SUPERNODES 


G2 

TOP 

G3 

G2 

G4 

G3 

G2 

G5 

G3 

TOP 

G6 

G4 

TOP 

G7 

G5 

GB 

G5 

BIO 

G6 

Bll 

G4 

B12 

G7 

B13 

G7 

G8 

B14 

G8 

B9 

G6 

This  is  followed  by  modular  subtree  information,  which  completes 


the  *TREE  run: 
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MODULAR  SUBTREES 
(B)  PRECEDES  BASIC  EVENTS 

(M)  PRECEDES  LARGEST  SIMPLE  GATE  MODULES  FOR  SUBTREE  TOP  NODE 
SUBTREE  FOR  NODE  TOP 


TOP 

1 

G2 

(M) 

G5 

G2 

2 

G3 

G4 

G3 

1 

G4 

(M) 

G5 

G4 

2 

(M)  -G6 

(M) 

Bll 

SUBTREE  BINARY  INDICATED  IMPLICANT  COUNT  PRIMAL  . 4000E+01  DUAL  .4000E+01 
SUBTREE  FOR  NODE  G5 


G5 

2 

G7 

G7 

1 

(B) 

B12 

(B) 

B13 

G8 

1 

Cb) 

B13 

(B) 

Bl,4 

SUBTREE  BINARY  INDICATED  IMPLICANT  COUNT  PRIMAL  . 4000E+01  DUAL  .2000E+01 
SUBTREE  FOR  NODE  G6 

G6  2 (B)  B9  ’ (B)  BIO 

SUBTREE  BINARY  INDICATED  IMPLICANT  COUNT  PRIMAL  . lOOOE+Ol  DUAL  .2000E+01 


The  *XEQ  run  simply  yields  a minimal  basic  event  family  for  the  fault 
tree  top  node: 


IMFLICANTS  FOR  EVENT  TOP 


1 

B13 

2 

BIO 

B9 

3 

-BIO 

Bll 

4 

-B9 

Bll 

5 

B12 

B14 

CPU  TIME  FOR  RUN  .349  SEC. 
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The  flexibility  of  FTAP  is  due  to  a large  variety  of  options 
di3CU3sed  in  the  next  section;  even  for  simple  fault  trees,  the  analyst 
will  probably  wish  to  include  some  of  these  instructions  before  *TREE 
or  *XEQ.  All  options  affect  a run  initiated  by  a *XEQ  instruction. 
However,  when  the  *TREE  instruction  is  used,  the  only  options  that 
are  effective  are  those  that  modify  the  fault  tree  (TRUE,  FALSE)  or 
select  gate  events  for  analysis  (PROCESS,  ALL). 

11.4  Option  Instructions 

The  first  card  of  each  option  instruction  contains  the  option 
name  in  field  1.  This  Initial  card  will  be  the  only  card  for  all 
instructions  except  TRUE,  FALSE,  PROCESS,  NELSON,  and  IMPORT.  Options 
TRUE,  FALSE,  PROCESS,  and  NELSON  may  be  continued  on  subsequent  cards 
in  the.  same  manner  as  gate  node  definition  instructions,  by  leaving 
fields  1 and  2 blank  on  continuation  cards;  the  number  of  continuation 
cards  is  not  restricted.  The  IMPORT  option  usually  consists  of  more 
than  three  cards  but  does  not  utilize  the  common  continuation  scheme. 
Options  other  than  these  also  have  fields  2 through  8 blank,  except 
for  MAXSIZE,  which  utilizes  field  2, 

Any  option  may  be  used  for  a run,  but  there  are  certain  pairs 
of  Incompatible  options,  and  use  of  both  options  is  treated  by  FTAP 
as  an  error.  In  addition,  a particular  option  may  appear  no  more  than 
once  for  a run.  But  no  restriction  is  placed  on  the  number  of 
options  that  may  be  specified  for  a run  or  their  input  order. 

We  discuss  options  according  to  five  functional  categories. 
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IX, 4.1  Fault  True  Modification  (TRUE,  FALSE) 

TRUE  and  FALSE  permit  any  gate  or  basic  event  variables  to  be 
taken  as  identically  true  or  false  for  a run.  Node  names  are  entered 
in  fields  3 through  8 of  these  instructions,  with  preceding  dashes 
signifying  complementation j field  2 is  blank. 

The  effect  of  setting  event  variables  to  true  or  false  is 
accomplished  by  constructing  a modified  version  of  the  input 
fault  tree.  An  implicant  family  generated  by  FTAP  in  response  to 
the  *XEQ  instruction  then  applies  to  this  modified  tree,  as  does 
tree  structure  data  provided  for  the  *TREE  instruction.  Nodes 
listed  on  TRUE  and  FALSE  instructions  do  not  appear  in  the  modified 
tree,  nor  do  any  of  their  supernodes  whose  associated  event  variables 
become  true  or  false.  Some  logic  Indicators  for  gate  nodes  in 
the  new  tree  may,  of  course,  differ  from  those  in  the  input  tree. 

As  an  example,  the  Figure  5 tree  is  transformed  to  the  tree  of 
Figure  6 through  the  instruction: 


Col.  1 

i 

21 

1 

31 

1 

T 

TRUE 

r 

-G3 

7 

B12 
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II. 4. 2 Gate  Event  Selection  (PROCESS,  ALL) 

The  analyst  may  wish  to  obtain  implicant  families  for  events 
associated  with  gate  nodes  other  than  the  input  tree  top  node;  this 
is  achieved  by  using  a PROCESS  or  ALL  instruction.  The  PROCESS 
instruction  has  gate  node  names  in  fields  3 through  8,  with  dashes 
optionally  preceding  these  names.  Field  2 is  always  blank.  The  ALL 
option  consists  simply  of  the  string  "ALL"  in  field  1.  When  the 
*XEQ  instruction  initiates  the  run,  an  implicant  family  is  obtained 
for  if  the  name  for  node  u appears  without  a preceding  dash 

on  a PROCESS  instruction;  a preceding  dash  results  in  an  implicant 
family  for  x (=  x^)  . The  PROCESS  instruction,  in  fact,  determines 
modular  structure  ^j^j£M(Q)  specifying  the  set  of  events  Q . 

The  ALL  instruction  is  less  selective,  and,  when  used  in  conjunction 
with  an  *XEQ  instruction,  provides  imp] leant  families  for  x^  for 
every  gate  node  u , as  well  as  a family  for  x_^  if  the  fault  tree 
contains  complementing  arcs.  With  the  ALL  option,  the  set  Q for 
the  modular  structure  is  thus  either  the  set  G of  all  gate,  nodes 
or  G U (-G)  . 

The  ALL  option  is  perhaps  more  useful  when  a *TREE  instruction 
initiates  the  run.  In  this  case,  output  from  the  tree  structure 
analy.sis  procedure  includes  information  on  the  modular  subtree  for 
every  gate  node.  On  the  other  hand,  the  procedure  provides  modular 
subtree  information  only  for  nodes  corresponding  to  events  in  M(Q) 
if  the  set  Q is  selected  through  a PROCESS  instruction. 
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When  PROCESS  and  ALL  options  are  absent,  FTAP  takes  Q to 
consist  only  of  the  fault  tree  top  node,  unless  the  input  fault 
tree  has  more  than  a single  top  node.  In  the  latter  case,  absence 
of  both  instructions  is  treated  as  an  error.  Events  in  Q which 
are  identically  true  or  false  are  messaged  at  the  beginning  of  run 
and  excluded  from  further  consideration. 

PROCESS  and  ALL  are  incompatible,  and  it  is  an  error  to  specify 
both  for  the  same  run. 


II. 4, 3 Methodology  Specification  (PRIME.  ALLNEL,  NELSON.  MSUP,  MSDOWN, 
WRKFILES,  MSONLY,  DUAL,  UPWARD.  MINCHECK) 

Options  discussed  here  affect  the  manner  in  which  FTAP  obtains 
implicant  families,  so  these  instructions  are  only  meaningful  for  runs 
initiated  by  the  *XEQ  instruction.  Except  for  NELSON,  these  options 
consist  only  of  the  instruction  name  in  field  1 of  a card. 

PRIME,  ALLNEL,  and  NELSON  instructions  signal  that  the  Nelson 
method  is  to  be  employed  in  obtaining  certain  minimal  families 
in  the  modular  structure.  PRIME  indicates  that  this  method  is  to  be 
used  only  when  the  modular  subtree  for  event  j contains  a complementing 
arc.  PRIME  thus  guarantees  that  all  families  generated  for  a run  consist 
of  prime  lmplicants;  of  course,  this  option  has  no  effect  if  the  input 
fault  tree  is  devoid  of  complementing  arcs. 

The  ALLNEL  option,  on  the  other  hand,  is  effective  for  any  input 
tree.  In  this  case,  the  Nelson  method  is  utilized  in  obtaining  all 


in  the  modular  structure. 
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The  NELSON  option  permits  the  Nelson  method  to  be  applied 
selectively  for  events  corresponding  to  node  names  in  fields  3 
through  8 of  this  instruction.  That  is,  if  the  name  for  some  node 
u ccurs  in  one  of  these  fields  without  a preceding  dash,  then  as 
lon^  as  u e M(Q)  M is  determined  by  the  Nelson  method;  a preceding 
dash  has  the  same  effect  for  M . An  event  j i M(Q)  selected 
by  this  instruction  is  ignored,  so  the  analyst  should  have  some 
knowledge  of  M(Q)  , perhaps  derived  from  an  earlier  structural 
analysis  of  the  fault  tree. 

If  a modular  subtree  contains  complementing  arcs,  it  is  possible 
for  an  event  variable  associated  with  the  subtree  top  node  to  be 
identically  true  or  false.  The  family  for  a variable  x^  which 

is  identically  false  is  always  empty,  and  FTAP  gives  this  result. 
However,  if  the  variable  is  identically  true,  this  may  not  be 

apparent  from  FTAP  results  unless  the  Nelson  method  is  utilized  in 
finding  . The  first  task  in  this  method  is  to  find  a complete 
minimal  family  for  the  dual  modular  subtree,  and  is  empty 

if  x^  is  true.  Should  be  empty,  FTAP  prints  an  appropriate 

message  and  terminates  the  run. 

PRIME,  ALLNEL,  and  NELSON  are  incompatible  with  each  other,  and 
only  one  of  the  three  may  appear  for  a run. 

Because  FTAP  automatically  makes  a reasonable  choice  between 
MSDOWN  and  MSUP  algorithms  in  finding  families  , the  analyst 
will  not  often  want  to  include  a MSDOWN  or  MSUP  option  for  a run. 

When  the  Nelson  method  is  employed  for  a family  , FTAP  automatically 
chooses  the  algorithm  MSDOWN  to  first  find  a complete  minimal  family 
for  the,  dual  modular  subtree,  but  the  user  may  override  this  choice 
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through  the  MSUP  option.  When  the  Nelson  method  is  not  employed, 

FTAP  chooses  the  MSDOWN  algorithm  to  find  unless  implicant 

elimination  based  on  size  or  importance  is  enabled,  in  which  case 
the  MSUP  method  is  chosen.  Again,  either  choice  may  be  overriden 
through  a MSUP  or  MSDOWN  option.  Since  fields  2 through  8 of 
these  options  are  blank,  selective  application  to  the  families  Mj 
is  not  possible.  The  presenc  >.  of  both  options  for  the  same  run 
is  treated  as  an  error. 

WRKFILES  informs  the  program  that  sequentially  organized  file 
space  on  magnetic  disk  Is  available  for  use  as  working  storage. 

FORTRAN  file  numbers  10,  11,  and  12  must  be  assigned  if  this  option 
is  used.  This  storage  is  only  available  to  subroutines  that  imple- 
ment the  dual  algorithm.  Though  MSDOWN  and  ORDOWN  methods  both 
employ  the  dual  algorithm,  magnetic  disk  storage,  when  necessary, 
will  most  often  be  utilized  in  application  of  the  Nelson  method  to 
large  modular  subtrees.  Thus,  the  WRKFILES  option  will  usually  appear 
in  conjunction  with  ALLNEL,  PRIME,  or  NELSON.  If  the  WRKFILES  option 
has  not  been  used  for  a run  which  must  be  terminated  because  of 
insufficient  working  space  in  main  memory,  a message  may  be  printed 
suggesting  that  main  memory  could  have  been  supplemented  by  magnetic 
disk  storage.  In  this  case,  it  is  reasonable  for  the  analyst  to  try 
a rerun  with  a WRKFILES  instruction. 

Once  the  modular  structure  has  been  found,  the  procedure  for 
finding  implicant  families  in  terras  of  basic  events  is  very  efficient 
computationally,  but  for  large  fault  trees,  this  final  step  might 
require  a great  deal  of  main  memory  workspace.  The  MSONLY  option 
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instructs  FTAP  to  bypass  this  step,  so  only  the  modular  structure 
is  determined.  This  instruction  will  also  lead  to  more  efficient 
use  of  main  memory  in  obtaining  the  modular  structure,  since  families 
Mj  need  not  be  retained  once  they  have  been  printed.  Also,  FTAP 
includes  a subroutine  which,  when  provided  with  the.  family  in 

terms  of  largest  simple  modules  for  j , counts  the  number  of  implicants 
in  the  minimal  basic  event  family  I (without  deriving  this  family) . 
Separate  counts  are  accumulated  by  implicant  size  and  printed  by  the 
subroutine.  If  MSONLY  is  specified,  the  routine  is  called  for  each 


j e M(Q)  . 

The  DUAL  option  simply  indicates  that  all  implicant  families 
for  a run  are  to  be  derived  for  the  dual  of  the  input  fault  tree. 

Thus,  if  an  implicant  family  associated  with  the  primal  tree  consists 
of  system  cut  sets,  a corresponding  minimal  path  3et  family  iB  obtained 
by  using  the  DUAL  instruction. 

The  UPWARD  option  invokes  an  algorithm  not  explicitly  stated 
in  Part  I.  This  method  closely  resembles  the  MSUP  algorithm:  The 
general  MSUP  technique  is  applied  to  the  entire  fault  tree  rather 
than  a modular  subtree,  with  basic  events  replacing  largest  simple 
modules.  Thus  implicant  families  are  generated  directly  in  terms  of 
basic  events  without  utilizing  the  modular  structure.  The  UPWARD 
option  may  be  useful  when  the  required  minimal  implicant  families 
in  terms  of  basic  events  are  expected  to  be  small,  which  might  be 
the  case  even  for  large  fault  trees  if  size  and  importance  elimination 
options  are  included  for  a run.  Because  the  modular  structure  is  not 
determined  when  this  option  is  specified,  certain  other  options  are 
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incompatible  with  UPWARD.  These  are  NELSON,  PRIME,  MS DOWN , MSUP, 

MSONLY,  MODSIZE,  MSPRINT,  and  MSPUNCH,  the  last  three  of  which 
we  will  consider  shortly.  , > 

The  MINCHECK  instruction  is  only  effective  when  it  accompanies 
the  UPWARD  option.  MINCHECK  specifies  that  minimization  only  be 
applied  to  implicant  families  for  events  in  the  set  Q determined 
by  PROCESS  or  ALL  options,  or  in  the  absence  of  these  options,  to 
the  family  for  the  fault  tree  top  node.  Thus,  intermediate  families 
generated  for  events  that  are  not  of  interest  to  the  analyst  are  not 
minimized. 

II. 4. 4 Control  of  Printed  and  Punched  Output  (MSPRINT,  STATUS , 

DSTATUS , PUNCH.  MSPUNCH,  NOPRINT) 

These  options  control  output  information  regarding  implicant 
families  and  are  effective  only  for  runs  initiated  with  a *XEQ 
instruction. 

MSPRINT  instructs  FTAP  to  include  the  modular  structure,  families 
in  printed  output.  This  option  is  unnecessary  when  MSONLY  is 
provided,  because  MSONLY  also  enables  printing  of  the  modular  structure. 
As  an  illustration,  suppose  the  ENDTREE  card  for  specification  of  the 
Figure  5 tree  is  followed  by  the  instructions: 

MSPRINT 

*XEQ  . 


Modular  structure  output  is  then: 
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IMPLICANTS  IN  TERMS  OF  LARGEST  SIMPLE  MODULES 
IMPLICANTS  FOR  EVENT  G6 
1 BIO  B9 

IMPLICANTS  FOR  EVENT  -G6 

1 -B9 

2 -BIO 

IMPLICANTS  FOR  EVENT  G5 

1 B12  B14 

2 B13 

IMPLICANTS  FOR, EVENT  TOP 

1 G.5 

2 G6 

3 -G6  Bll 


The  STATUS  option  yields  information  on  the  progress  of  generat- 
ing each  minimal  implicant  family,  giving  the  number  and  maximum 
size  of  implicants  in  various  Intermediate  families,  as  well  as  data 
on  computation  times  and  the  amount  of  unused  main  memory.  STATUS 
provides  a brief  record  of  each  iteration  of  the  MSDOWN  method.  As 
an  illustration,  consider  the  instruction  group; 

MSPRINT 
STATUS 
*XEQ  . 

A sample  of  the  output  for  the  event  TOP  modular  structure  family 
from  u run  initiated  by  these  instructions  is  as  follows: 
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LARGEST  SIMPLE  MODULES  FOR  TOP 
G5  Bll  G6 

EVENT  TOP  DOWNWARD 


NUMBER  OF  IMPLICANTS 

IN 

TABLE 

3 

MAXIMUM 

LENGTH 

1 

NUMBER  OF  IMPLICANTS 

IN 

TABLE 

3 

MAXIMUM 

LENGTH 

2 

NUMBER  OF  IMPLICANTS 

IN 

TABLE 

3 

MAXIMUM 

LENGTH 

1 

MINIMIZATION 

3 

MAXIMUM 

LENGTH 

1 

NUMBER  OF  IMPLICANTS 

IN 

TABLE 

3 

MAXIMUM 

LENGTH 

2 

MINIMIZATION 

3 

MAXIMUM 

LENGTH 

2 

UNUSED  STORAGE  BEGINS 

AT  361 

CPU  TIME  FOR  EVENT 

.070 

SEC 

IMPLICANTS  FOR  EVENT  TOP 

1 G6 

2 G5 

3 -G6  Bll 


STATUS  information  for  the  Nelson  method  is  similar  to  the  above, 


except  the  various  "downward"  lines  refer  to  implicants  for  the  dual 
subtree,  and  data  on  the  number  and  size  of  implicants  obtained  from 
the  dual  algorithm  precedes  storage  and  time  data. 

Information  for  the  MSUP  method  is  Bomewhat  different.  The  run 


instructions 


MSPRINT 

MSUP 

STATUS 

*XEQ 


give  this  output  for  the  event  TOP  modular  structure  family: 
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LARGEST  SIMPLE  MODULES  FOR  TOP 
G5  Bl.l 


MINIMIZATION 


MINIMIZATION 


G6 

EVENT 

TOP 

DOWNWARD 

— 

— 

IN  TABLE 

3 

MAXIMUM  LENGTH 

1 

3 

MAXIMUM  LENGTH 

1 

EVENT 

G2 

DOWNWARD 

— 

IN  TABLE 

1 

MAXIMUM  LENGTH 

1 

EVENT 

G4 

DOWNWARD 

. 

— 

IN  TABLE 

1 

MAXIMUM  LENGTH 

n 

4m 

EVENT 

G4 

UPWARD 

— 

— 

IN  TABLE 

1 

MAXIMUM  LENGTH 

2 

EVENT 

G2 

UPWARD 

— 

IN  TABLE 

1 

MAXIMUM  LENGTH 

2 

EVENT 

TOP 

UPWARD 

— 

— 

IN  TABLE 

3 

MAXIMUM  LENGTH 

2 

3 

MAXIMUM  LENGTH 

2 

; AT 

387 

GPU  TIME 

FOR  EVENT  .129 

SEC 

IMPLICANTS  FOR  EVENT  TOP 


G6 

G5 

-G6 


Bll 


The  "downward"  information  now  represents  successive  applications  of 
the  ORDOWN  algorithm  to  events  TOP,  G2,  and  G4.  These  events  are  then 
considered  in  upward  order,  as  the  family  for  TOP  in  terms  of  largest 
simple  modules  is  generated.  The  "upward"  information  format  is  also 
used  in  a rather  obvious  way  to  chart  the  progress  of  constructing 
basic  event  families,  whether  this  construction  proceeds  from  the 
modular  structure  or  in  the  manner  associated  with  the  UPWARD  option. 
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DSTATUS  causes  the  subroutine  package  for  the  dual  algorithm 
to  provide  data  on  the  sizes  of  various  tables  associated  with  that 
algorithm.  This  data  is  only  printed  when  the  Nelson  method  is  used 
and  the  subroutine  package  is  applied  to  the  implicant  family  for  a 
dual  modular  subtree.  Some  familiarity  with  Reference  [17]  is  required 
to  interpret  this  output. 

PUNCH  and  MSPUNCH  options  allow  implicant  families  to  be  punched 
on  80-column  cards  for  input  to  other  programs.  FORTRAN  file  number  7 
should  be  assigned  to  the  card  punch  (or  magnetic  disk)  if  these 
instructions  are  used.  Events  associated  with  the  input  fault  tree 
are  represented  by  positive  and  negative  integers  < punched  output, 
and  whenever  the  MSPUNCH  option  is  used,  this  numbering  scheme  is  the 
same  as  suggested  in  Part  I.  MSPUNCH  enables  punching  of  the  modular 
structure,  and  determines  that,  for  the  q nodes  of  the  input  fault 
tree,  integers  1 to  p are  to  represent  gate  nodes  on  punched  output 
and  p + 1 to  q are  to  represent  basic  nodes.  The  PUNCH  option 
causes  basic  event  families  to  be  punched.  Unless  MSPUNCH  accompanies 
the  PUNCH  instruction  for  a run,  integers  1 to  q - p number  basic 
nodes  on  output. 

When  either  MSPUNCH  or  PUNCH  is  used,  the  first-  group  of  punched 
cards  for  a run  gives  the  correspondence  between  node  names  and  numbers. 
The  initial  card  of  the  group  has  the  FORTRAN  format  (5HNAMES.I5) , 
where  the  single  integer  field  contains  the  number  of  names  (which  will 
be  q if  MSPUNCH  is  specified  and  q - p if  only  PUNCH  is  specified). 
On  the  remaining  cards  node  numbers  are  paired  with  node  names,  with 
up  to  five  pairs  appearing  on  a card  in  the  format  (5(15, 3H  - ,A8)). 


The  modular  structure,  If  requested,  is  given  by  the  next  group 
of  cards,  whose  initia  card  has  a (5HIMPMS,I5)  format,  containing 
the  run  number  in  the  integer  field.  The  representation  of  each 
family  then  begins  with  a (5HEVENT,I5,I6)  format  header  card, 

having  the  positive  or  negative  integer  J in  the  first  field  and 
the  number  of  implicants  in  the  family  in  the  second.  Following 
the  header  card,  each  implic.ant  of  the  family  starts  on  a separate 
card  with  a (1615)  format  and  may  continue  on  additional  cards  with 
the  same  format.  On  the  first  card  for  an  implicant,  field  1 always 
contains  the  number  of  events  in  the  implicant.  These  events  are 
represented  in  fields  2 through  16  of  the  first  card  and  1 through  16 
on  subsequent  cards. 

Output  for  basic  event  families  is  preceded  by  a (5HIMPBE,I5) 

format  card,  with  the  run  number  in  the  integer  field.  The  general 

format  for  representing  these  families  follows  that  of  the  modular 

structure,  where  the  basic  event  families  {I.}.  _ take  the  place  of 

j JeQ 

{Mj}j£M(q)  • Again,  Q either  contains  the  fault  tree  top  node  or 
events  indicated  by  a PROCESS  or  ALL  instruction. 

Finally,  the  analyst  may  sometimes  wish  to  obtain  punched  output 
but  suppress  printed  output  for  large  basic  event  families.  In  such 
cases,  the  NOPRINT  option  should  accompany  the  PUNCH  option.  NOPRINT 
only  suppresses  printing  of  basic  event  families  and  does  not  affect 
the  MS PRINT  option. 


II. 4.5  Implicant  Elimination  Baaed  on  Size  and  Importance  (MAXSIZE , 
MODSIZE , IMPORT)  ~ ' 

These  options  are  compatible  with  all  of  the  algorithms  MSDOWN, 
MSUP,  and  Nelson,  as  well  as  the  method  associated  with  the  UPWARD 
instruction.  If  size  or  importance  options  are  included  for  a run 
and  options  MSDOWN,  PRIME,  ALLNEI. , and  NELSON  are  absent,  the  MSUP 
algorithm  is  chosen  automatically  by  FTAP,  even  for  modular  subtrees 
containing  complementing  arcs.  However,  it  has  been  pointed  out  in 
Part  I that  when  the  MSUP  method  is  applied  to  a subtree  with  com- 
plementing arcs,  the  resulting  subfamily  of  size  or  importance 
restricted  sets  may  not  be  meaningful.  Thus,  in  utilizing  these 
options,  the  analyst  will  usually  want  to  insure  that  the  Nelson 
method  is  employed  for  such  subtrees. 

The  MAXSIZE  option  imposes  a uniform  size  restriction  on  iraplicants 
in  the  modular  structure  and  basic  event  families  generated  by  FTAP. 
Field  2 of  this  instruction  gives  the  maximum  number  of  events  permitted 
in  an  implicant;  a positive  integer  may  appear  anywhere  In  the  field. 
Fields  3 through  8 of  the  card  are  blank. 

As  discussed  in  Part  I,  modular  size  importance  is  often  a more 

efficient  criterion  for  implicant  elimination  chan  a simple  size 

restriction.  This  criterion  is  applied  in  the  manner  suggested  in 

Subsection  1.3.2,  which  we  briefly  recall;  The  subfamilies  ^ ^ j } j eM (Q) 

are  generated  in  "upward"  order,  with  constructed  following 

families  for  subevents  of  j . An  implicant  M is  retained  in 

only  if  1 cr(ra)  does  not  exceed  the  fixed  size  restriction,  where 
meM 

a(m)  ■ ].  if  m is  a basic  event,  and  for  m a gate  event,  o(m)  is 
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available  from  an  earliur  computation  which  followed  construction 

of  M ' , 
m 

min  / £ a(k)\  (M*  ^ 0)  , 

Ke.M^  yccK  J m 

FTAP  implements  elimination  based  on  modular  size  importance  when 
the  MODSIZE  option  accompanies  MAXSIZE;  in  this  case,  MAXSIZE  specifies 
the  fixed  size  restriction.  MODSIZE  is  not  effective  in  the  absence 
of  the  MAXSIZE  option. 

FTAP  also  allows  for  implic.ant  elimination  based  on  the  product 

importance  criterion.  Here  an  implicant  M is  retained  in  Mj  only 

if  H i (m)  exceeds  some  critical  value  c , where  i (m)  is  an 
meM 

arbitrary  value  between  0 and  1 for  in  a basic  event,  and  for 
m a gate  event,  i (m)  has  been  determined  from 

max  / II  i (k)\  (M ' </•  0)  . 

KeAP  \keK  j m 

The  criterion  is  applied  again  when  basic  event  families  are  obtained 
from  the  modular  structure. 

The  product  importance  option  requires  a group  of  cards  to 
specify  the  values  i(’)  for  basic  events  and  the  critical  value  c . 
The  first  card  of  the  group  contains  only  the  option  name  "IMPORT" 
in  field  1;  other  fields  are  blank.  Cards  which  assign  i(»)  values 
follow  this  initial  card.  These  cards  always  have  field  1 blank, 
a positive  decimal  value  between  0 and  1 in  field  2,  and  basic 
event  names  in  fields  3 through  8,  with  optional  dashes  preceding  these 
latter  fields.  The  value  in  field  2 may  be  in  FORTRAN  E or  F 
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format  and  must  contain  a decimal  point.  An  F-format  item,  such 
as  . 5 or  .001,  may  appear  anywhere  within  the  field,  but  E-format 
items,  such  as  1.25E-2  or  . IE-1,  must  be  right-justified.  Should  the 
name  for  basic  node  u appear  on  a card,  i (u)  is  assigned  the 
value  in  field  2 of  that  card  when  the  name  is  not  preceded  by  a dash; 
a preceding  dash  causes  the  field  2 value  to  be  assigned  to  i(-u)  . 

As  many  cards  as  desired  may  be  used  to  set  il»)  values,  but  it  is 
not  required  that  values  be  provided  for  all  basic  events:  FTAP  assigns 
\ (k)  a default  of  1 for  any  event  k not  represented  on  one  of 
these  cards. 

The  card  that  must  terminate  the  product  importance  group  has  the 
string  "LIMIT"  lef t-justif ied  in  field  1 and  a decimal  value  between 
0 and  1 again  in  field  2.  Fields  3 through  8 are  blank.  The  field 
2 value  is  the  critical  value  c for  the  importance  test. 

As  a simple  illustration  of  the  above  options,  suppose  for  the 
example  tree,  the  analyst  desires  only  prime  implicants  consisting  of 
a single  basic  event,  and  implicants  involving  node  B9  are  not  of 
interest.  Suitable  cards  for  this  run  are: 

Col.  1 11  21  31 

t ( 

MAXSIZE  1 

IMPORT 

.4  B9  -B9 

LIMIT  .5 

PRIME 
*XEQ 


92 


11.5  Program  Implementation 

FTAP  is  available  In  two  distinct  versions  that  differ  only  in 
the  internal  storage  format  for  representing  implicant  sets.  FTAP1 
stores  an  implicant  as  a variable  number  of  consecutive  computer 
words  in  main  memory.  The  first  word  of  the  group  contains  the 
integer  number  of  events  in  the  set,  and  a positive  or  negative 
integer  value  in  each  of  the  remaining  words  identifies  an  implicant 
event.  FTAP2,  on  the  other  hand,  stores  an  implicant,  set  as  a fixed 
group  of  consecutive  words,  and  a fault  tree  event  is  associated  with 
a unique  bit  position  in  one  of  these  words.  Bit  positions  corre- 
sponding to  events  in  the  implicant  contain  the  value  1,  whereas 
other  bit  positions  contain  0.  The  fixed  number  of  words  required 
for  an  implicant  set  depends  on  the  computer  word  length,  the  particular 
stage  of  FTAP  processing,  and  whether  the  input  fault  tree  contains 
complementing  arcs.  When  modular  structure  families  are  constructed 
for  a fault  tree  without  complementing  arcs,  the  number  of  words  must 
be  sufficient  to  accommodate  one  bit  position  for  each  gate  and  basic 
node.  Fur  fault  trees  with  complementing  arcs,  two  bits  are  needed 
for  a node,  one  for  each  event  associated  with  the  node.  When  basic 
event  families  are  constructed,  the  situation  differs  only  on  the 
fact  that  bit  positions  are  not  needed  for  representation  of  gate 
events. 

FTAP2  is  the  more  efficient  of  these  two  versions  in  terms  of 
computation  time  and  should  be  chosen  for  most  applications.  However, 
for  large  fault  trees  (having,  say,  more  than  200  gate  nodes),  it  is 
often  feasible  only  to  obtain  implicants  having  a small  number  of  events. 
The  storage  format  of  FTAP1  becomes  an  advantage  in  such  applications. 
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FTAP1  and  FTAP2  are  designed  for  use  on  most  general  purpose 
computers.  The  codes  have  been  carefully  prepared  to  ensure  that 
program  logic  is  tight  and  efficient,  and  subroutines  for  minor 
tasks  such  as  sorting  and  searching  use  good  standard  algorithms, 
as  given  in  [9].  The  FORTRAN  portion  of  each  program  conforms  to 
ANSI  specifications,  except  for  array  subscripts,  which  are  apt  to 
consist  of  expressions  using  two  or  more  simple  FORTRAN  integer 
variables  with  addition,  subtraction,  and  multiplication  operations, 
and  sometimes  the  integer  absolute  value  operation.  Most  FORTRAN 
compilers  allow  such  expressions. 

Main  memory  work  space  for  either  code  is  confined  to  one  single 
subscripted  integer  array,  denoted  by  the  FORTRAN  name  IA.  Storage 
in  this  array  is  dynamically  allocated  for  maximum  efficiency  in  use 
of  main  memory.  Because  fault  trees  of  appoximately  the  same  size 
may  differ  considerably  in  their  structure,  it  is  difficult  to  state 
even  roughly  how  large  IA  should  be  to  accommodate  analysis  of  a 
fault  tree  with  some  given  number  of  nodes.  The  analyst  should  make 
IA  as  large  as  feasible  for  the  environment  in  which  the  program  is 
implemented;  for  instance,  if  the  program  is  required  to  execute  in 
a fixed  partition  of  computer  main  memory,  then  the  object  code  length 
plus  storage  for  IA  should  fill  the  partition.  If  the  environment  is 
such  that  program  use  becomes  more  inconvenient  as  storage  requirements 
increase,  an  initial  length  of  IA  should  be  chosen  perhaps  between  300 
and  1000  times  the  maximum  number  of  gate  nodes  in  any  tree  to  be 
analyzed;  this  length  may  then  be  increased  as  necessary. 

Implementation  of  FTAP1  or  FTAP2  is  accomplished  according  to 


the  following  steps: 
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1.  The  desired  dimension  of  the  array  IA  should  be  set  in 

the  declarative  statement  for  this  array  near  the  beginning 
of  the  main  program.  Since  the  code  must  be  capable  of 
determining  when  storage  requirements  exceed  availability, 
the  length  of  the  array  must  be  provided  for  internal  program 
use.  This  is  done  by  initialising  the  variable  IASIZE 
through  a FORTRAN  DATA  statement,  which  also  appears  near 
the  beginning  of  the  main  program. 

2.  The  first  executable  statement  in  the  main  program  for  FTAP2 
assigns  a positive  integer  value  to  the  variable  LWORD.  This 
value  should  be  set  to  the  length  of  a computer  word  less  one. 

3.  When  accessed  by  other  routines,  the  REAL  function  TIME  returns 
the  amount  of  elapsed  time  since  the  beginning  of  the  computer 
job.  The  proper  form  of  the  subroutine  CALL  statement  in 
function  TIME  may  depend  on  the  particular  computer  installation, 
and  this  statement  should  be  modified  accordingly. 

4.  The  group  of  assembler  language  routines  should  be  chosen  to 
correspond  to  both  the  computer  and  FORTRAN  compiler  used. 

Three  groups  of  assembler  language  routines  are  supplied 
with  FTAP1  or  FTAP2:  for  use  with  (1)  CDC  6600/7600  machines 
and  RUN  compiler  linkage  convention,  (2)  CDC  6600/7600 
machines  and  FTN  compiler  linkage  convention,  or  (3)  IBM  360/370 
machines  (G  or  H compiler  linkage  convention) . To  implement 
FTAP1  or  FTAP2  on  other  machines,  one  or  more  assembler  routines 
must  be  prepared  according  co  specifications  given  in  the 
following  section. 
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II. 6 Specifications  for  Assembler  Routines 

The  routines  discussed  in  this  section  are  all  very  simple, 
and  the  largest  should  not  require  many  more  than  25  statements  in 
any  assembler  language.  FT API  utilizes  only  routine  CCM,  but  all 
routines  are  accessed  by  FTAP2. 

1.  CCM(IW1,  IW2,  IIEST): 

CCM  logically  compares  the  contents  of  computer  words  IW1  and 
IW2  and  returns  the  result  of  the  comparison  in  word  ITEST.  If 
contents  of  IW1  and  IW2  are  identical,  then  ITEST  will  contain  a 0 ; 
otherwise  the  value  in  ITEST  depends  on  the  highest  bit  in  which  the 
words  differ.  When  this  bit  is  1 in  IW1  and  0 in  IW2,  ITEST 
is  returned  as  1 ; in  the  reverse  situation  ITEST  Is  returned  as  -1  . 

2.  ORMdWl.  IW2.  IOR): 

The  contents  of  word  IOR  returned  by  this  routine  is  simply  a 
logical  OR  of  words  IW1  and  IW2. 

3.  ANDMdWl,  IW2,  IAND)  : 

ANDM  returns  in  word  IAND  the  result  of  a logical  AND  of  IW1 
and  IW2 . 

4.  PUTM  (LV,  IV,  IW): 

When  PUTM  is  accessed,  IV  is  an  array  of  successive  words  containing 
positive  integer  values  In  increasing  order.  No  value  exceeds  tVie 
number  of  bits  in  a computer  word.  The  location  LV  contains  a positive 
integer  representing  the  length  of  IV.  The  function  of  PTUM  is  to 
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place  a 1 In  each  bit  position  of  word  IW  numbered  by  an  integer 
in  array  IV;  other  bit  positions  are  set  to  0 . As  an  example, 
suppose  the  computer  word  length  is  16,  and  PUTM  is  accessed  with  4 
in  LV,  and  IV(1)  through  IV(4)  contain,  respectively,  2,  5,  7,  and  16. 
On  return,  IW  then  contains  the  bit  pattern  "1000000001010010." 

The  bit  numbering  for  this  example  is  increasing  from  right-to-left. 

5.  GETM  (IW,  LV,  IV); 

GETM  performs  the  reverse  operation  of  PUTM.  On  return,  IV  is 
a vector  of  consecutive  words  containing  bit  numbers  for  all  bits 
that  are  1 in  word  IW.  These  integers  are  in  increasing  order  in 
IV,  and  the  number  of  integers  in  this  vector  is  returned  in  LV. 

GETM  may  be  accessed  with  IW  having  0’s  in  all  bit  positions,  in 
which  case  LV  is  returned  with  an  integer  value  of  0 . 

6.  BCM  (IW,  NBITON): 

BCM  returns  in  NBITON  the  count  of  bit  positions  containing  1 
in  word  IW.  The  value  in  NBITON  is  thus  an  integer  between  0 and 
the  number  of  bits  in  a computer  word. 
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